Authentication Compliance Guidelines
Replacing knowledge-based authentication with multi-factor authentication
Weak consumer authentication is the source for account takeover fraud and the resulting fraud and information disclosures this leads to. For this reason, standards bodies and government agencies have been advocating or requiring more robust authentication approaches.
The requirements and principles all focus on the need to move to multi-factor authentication and to minimize use of personal knowledge in authentication in both digital and telephone channels.
|FFIEC||The FFIEC is an US interagency body that prescribes uniform principles and standards for financial institutions. The FFIEC requires protection of customer information and the use of multi-factor authentication for telephone banking when a single factor approach, such as knowledge-based authentication, is inadequate.|
|FTC Safeguards Rule||The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. It specifically requires detecting and preventing attacks to obtain personal information and that information safeguards are in place to monitor system effectiveness. The use of authentication systems based on knowledge factors lacks the accuracy needed to secure personal information.|
|Patriot Act||The USA Patriot Act requires that financial institutions verify the identity of individuals wishing to conduct financial transactions. Since personal information is no longer predictive of identity, financial institutions need to deploy more robust authentication methods.|
|National Institute of Standards and Technology (NIST)||NIST's Authentication and Lifecycle Management section of the Digital Identity Guidelines specifies two factor authentication is required when it is necessary to provide high confidence of identity for access to an account. This same principle should be followed by other governments and commercial entities.|
|Red Flag Rules||The SEC and FTC have published identity theft red flag rules that require financial institutions take steps to prevent identity theft. Use of personal information to access account information does not meet this standard. In addition, use of personal information for authentication provides incentives for identity theft.|
|New York State||New York State Department of Financial Services requires that financial institutions and creditors must take steps to prevent identity theft including the use of multi-factor authentication.|