With the FFIEC's guidance stating that banks should implement two-factor authentication for Internet services that involve sensitive customer information or movement of funds, the status quo in information security in banking has been quickly overturned.The FFIEC guidance raises the minimum standard by mandating two-factor authentication by the end of 2006. Now, a bank that may have held off on implementing a two-factor solution for the fear of getting too far ahead of the mainstream market can move ahead without fear of losing customers to security laggards. There may still be laggards, but the differences won't be as stark as they were in the past.
The 2006 deadline means that banks not only have to figure out how to deploy two-factor authentication, but also to figure out which alliances and standards bodies they should join for deployment. In the absence of some level of industry consensus, customers will be asked to adopt a different authentication technique for each bank they do business with. One result could be "token necklace" syndrome, where someone has to carry around several different identification dongles. Or worse, a single customer may have to use a USB token for one bank, a smart card for another, and a one-time-password device for a third. Someone in either situation would be likely to get frustrated and end relationships with the financial institutions having the most troublesome authentication methods; which, counter to the intent of the FFIEC guidance, would reward the banks adopting the minimum standards.
An alternative is for the banks to decide upon a common, interoperable standard for authentication. Since the choices of method are numerous, with debatable merits and variable costs, I don't really expect this to happen.
But there's another option: Instead of each bank deciding which form of authentication it wants all of its customers to use, perhaps the choice should be that of the customer. Imagine if every single Internet banking customer received the same letter in the mail:
Dear Internet Banking Customer:
In order to protect your information and secure your funds, please select one of the following authentication methods as the one that you will use by the end of 2006:
- USB token
- Smart card
- Password-generating token
- Password-generating mobile phone
- Biometric reader
You will be able to use this authentication method for all of your banking relationships.
Signed, The Banking Industry
How's that for putting the customer first?