January 25, 2011, 2:10 PM — The Federal Financial Institutions Examination Council (FFIEC) could soon release new guidelines for banks to use when authenticating users to online banking transactions.
The new guidelines will clarify the FFIEC's existing guidelines on the subject and more explicitly inform banks about what they need to do to bolster online authentication, said Avivah Litan, an analyst at Gartner.
Litan recently met with the FFIEC's IT subcommittee to discuss the updates. "They have been talking about it and debating it for a while," Litan said. "My understanding is that [the subcommittee meeting] was the last step in the process before they issue the new guidance."
The FFIEC is an interagency council that develops standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC).
In 2005, it issued a set of guidelines , titled "Authentication in an Internet Banking Environment." They called on banks to upgrade their single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006.
The guidance left it largely up to the banks to choose whatever second form of authentication that they felt was the most appropriate for their needs. The FFIEC listed several available authentication technologies that banks could choose from, including biometrics, one-time passwords and token-based authentication.
Since the guidelines were issued, many banks have added a second authentication layer for users when conducting certain kinds of online transactions. However, in many cases, the added measures have been largely cosmetic in nature and have done little to bolster authentication in the way the FFIEC had originally intended, Litan said.
"Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication," Litan said. "What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do."
The FFIEC did not immediately respond to Computerworld's requests for clarification on the purported release of the new guidelines.
News of the proposed revisions come amid growing concerns about the ability of cyber criminals to circumvent the existing authentication mechanisms used by banks for online transactions.