But Hinkel's biggest concern is that the language used to define multi-factor authentication is too vague. Dating back to the the 2005 guidance, the FFIEC says the concept of authentication is broad, and that while the document describes the multi-factor as being more than one initial authentication, it doesn't give much clue as to what types of authentication are acceptable.
"So what you’re saying is this entire release -- this entire piece of guidance -- is based on the fact that you cannot put your arms around the concept of multi-factor authentication. It’s saying you put in more than initial log in. But what is it?"
Hinkel says that in today's litigious society, FFIEC's broad or soft language on certain aspects could ultimately become costly for banks.
"This broad definition of what customer authentication is not, without identifying what it is, just further muddies the water," he adds. "Any time there’s any type of confusion, it opens the door for interpretation. And unfortunately the courts are the arbiters on the interpretation of it. And the more specific that this guidance will be, the less likely it is issues will have to be settled in a court of law."
While Hinkel has his share of criticism for the updated guidance, he says the FFIEC did a good job in adding an educational element, in bringing up the idea of risk assessments and in emphasizing the idea of layered security. He also says that the FFIEC broadly works to give best practices on authentication without overreacting to new technology, which is always evolving.
"I don’t think it should, frankly," be expected to address individual pieces of technology or trends, he sasy. "If the FFIEC were expected to keep up with new technology, they would have to issue a new guidance each year."
While some criticize elements of the FFIEC's updated guidance on authentication, George Tubin, senior research director for TowerGroup's Retail Banking & Cards practice, praises it for meeting the broad needs of the industry and the five regulators who wrote it.
"I think it’s a great document, I think it’s clearly written. It’s appropriate for where we are now," Tubin says. "I think certainly what they came up with is a giant step in the right direction. It does put in very solid controls and proven techniques that will definitely help."
Tubin says layered security the key to the entire piece.
"You can’t rely on just one security technology," he adds. "You need to have multiple controls and different kinds of controls."
So who is the updated FFIEC guidance for? While McNelley and Tubin say big banks are generally well-invested in secure online authentication technology, federal guidelines such as this will help make smaller banks and credit unions make the case for investing in technology.
"A lot of smaller banks have been sticking to that 2005 guidance," McNelley says. "Larger banks are absolutely being very proactive on this front. Smaller banks have had a lot thrown at them over the last couple of years in terms of regulatory priorities."
Tubin agrees smaller banks and credit unions have a lot of catching up to do.
"Unfortunately with a number of these cyber attacks that we’re hearing about, a lot of them are directed at the small and medium financial institutions," he says. "Unfortunately, with as many as are out there, they aren’t all as educated on security."