The much anticipated FFIEC Authentication Guidance was released on June 28, 2011 as a supplement to the very dated 2005 Guidance on Authentication in an Internet Banking Environment. The complete text of the Supplement to Authentication in an Internet Banking Environment is available on the FFIEC website.
There is not much difference from the draft mistakenly released on the National Credit Union Administration website in 2010. The guidance is weak in a number of areas, specifically the need for multi factor authentication in consumer banking, not just commercial banking; and the failure to address security of mobile banking.The supplement does emphasize the need for ongoing updates of risk assessments and the need for a layered approach to security. Both recommendations commonly found among best practices for identity and authentication management.
A number of vendors will scramble to re-position their products as multi factor, or attempt to adapt single dimension OTP or challenge response offerings to address the emphasis on risk assessment and layered security. However, there are many current offerings available to address regulatory requirements of 2012. Careful research is essential to identifying an authentication solution that not only fits yours needs, but does so without adding additional burden to users, and also provides a flexible platform that can adapt and extend to meet the challenges of tomorrow.
--------------------------------------------------------