Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
Professional
 
 
Support for Strong Authentication

A FFIEC document considers "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." "Financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques."

The FFIEC’s strong words are applicable to any organization that needs to protect remote access to sensitive data. Their rationale provides validation for the use of two-factor authentication.

A brief overview of two-factor authentication… ATM cards are a common implementation of two-factor authentication. The two factors are comprised of an ATM card (something you have) and the PIN (something you know). Large organizations use similar methods to secure web sites and internal networks containing sensitive information. Small keychain-sized tokens display a password which changes each minute. The user accesses a restricted web site or VPN and enters their account name and the "one-time" password provided by the token.

The use of two-factor authentication is on the rise. Large customer-facing companies such as E*Trade have started issuing password tokens to their customers. Small and medium-sized organizations are using it too. For example, the Regional MLS of Florida recently began using two-factor authentication with Secure Computing SafeWord as the underlying technology. Two-factor authentication is also commonly used to provide secure authentication for Outlook Web Access (OWA).

The FFIEC recommendations may be helpful in convincing management to address the risks associated with remote access to sensitive data. Government regulations are likely to follow suit due to the threats of phishing sites and malware combined with the reduced cost of two-factor implementations. When considering a two-factor solution, risk, security features and cost obviously come to mind. Also determine the minimum number of tokens the vendor will provide and how the solution scales with the growth of an organization.

Included below is a link to the FFIEC document and a thought provoking article on the CSO Online site.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, SCSA
Charlotte, NC
gideon@...

http://www.ussecurityawareness.org
http://www.gideonrasmussen.com

Authentication in an Internet Banking Environment - FFIEC

http://www.ffiec.gov/pdf/authentication_guidance.pdf

Second Thoughts on Second Factors - CSOonline.com

http://www.csoonline.com/read/020106/second_thoughts.html

Posted: Tue Feb 21, 2006 4:57 am



Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices