Tool 3: Managing and Controlling Risk
Safeguarding Customer Information
Authentication Practices
Authentication, the function of verifying the identity of persons seeking access to
information systems and/or electronic banking services, is a high-profile element of
safeguarding customer information. There are a variety of authentication tools and
systems in use today within the banking industry. These include user passwords, personal
identification numbers (PINs), digital certificates using public key infrastructure (PKI),
smart cards, tokens and other types of physical devices, and biometric identifiers. The
degree of security afforded by each of these tools/systems varies and is evolving as
technology changes.
Authentication methods generally fall into one of three basic categories or factors:
 Something the user knows (e.g., password, PIN);
 Something the user possesses (e.g., ATM or smart card, security token); or
 Something the user is (e.g., biometric characteristic, such as fingerprint or
 retinal pattern).
Authentication systems that involve more than one of these factors are typically more
difficult to compromise than single-factor systems. Implementation and maintenance of
multi-factor systems typically require greater financial and administrative resources.
Consequently, an efficient authentication system is one in which the associated resource
costs are commensurate with the sensitivity and criticality of the system/services being
protected. Further, the success of a particular authentication method depends on more
than the technology itself and the proper implementation of the technology. It also
depends on the adoption of and adherence to appropriate control policies, procedures, and
standards. Finally, an effective authentication method should have user acceptance,
reliable performance, scalability to accommodate growth, and interoperability with
existing and planned IT systems.
The Federal Financial Institutions Examination Council (FFIEC), issued Supervision and
Regulation Letter SR 00-20 dated August 15, 2001. This mailing distributed the FFIEC’s
guidance paper entitled “Authentication in an Electronic Banking Environment” dated
August 8, 2001. This guidance document specifically addresses authenticating customers
accessing an institution’s computer systems via the Internet, yet the principles discussed
AMERICAN BANKERS ASSOCIATION
also apply to authenticating bank employees and third-party vendors, suppliers, and
contractors attempting to access any bank-owned data and/or information system.
The guidance also applies whether the subject data or information systems are maintained
in-house by the bank or housed at external data processing service providers.
The FFIEC authentication guidance addresses four elements of an effective
authentication system relative to electronic banking systems: risk assessment; customer
verification during account origination; transaction initiation and authentication of
existing customers; and monitoring and reporting.
Risk Assessment
The implementation of effective authentication methods starts with management’s
assessment of the risk posed by the institution’s electronic banking systems. The risk
should be evaluated in light of the type of customer (e.g., retail or commercial), the
transaction capabilities available, the sensitivity and criticality of the stored information
to both the bank itself and the customer, and the size and volume of transactions. The
authentication method implemented for a specific electronic application should be
appropriate and commercially reasonable relative to the reasonably foreseeable risks in
that application.
From an enterprise-wide perspective, because institutions’ information systems and
product mixes change over time, management is expected to periodically conduct
additional risk assessments to determine whether modifications are needed to maintain
commercially reasonable authentication systems.
Customer Verification During Account Origination
In an electronic or online banking environment, the use of and reliance on traditional
forms of paper-based authentication (face-to-face presentation of an individual’s drivers
license, etc.) is generally not feasible. Alternative methods of authentication, verifying
personal information, are needed. A bank can verify a potential customer’s identity by
comparing their answers to a series of detailed questions against information in a trusted
database for consistency (e.g., a reliable credit report); such a process is known as
“positive verification”. Information provided by the potential customer may also be
reviewed for logical consistency (e.g., are the telephone area code, ZIP code, and street
address consistent with each other); this process is known as “logical verification.”
“Negative verification” is the process of comparing customer provided information
against fraud-related databases to determine whether any of the information is associated
with known incidents of fraudulent behavior. Finally, a customer’s identity can be
verified through the use of an electronic credential, such as a digital certificate, issued by
a trusted third party.
AMERICAN BANKERS ASSOCIATION
2
The ABA has recently distributed a resource guide to assist institutions in the
identification and verification of account holders.
Transaction Initiation and Authentication of Existing Customers
Institutions are currently using a variety of methods to authenticate existing customers,
including passwords, PINs, digital certificates and PKI, physical devices such as smart
cards or tokens, and biometrics. Communication of customer responsibilities and
recommended precautions can strengthen the reliability of such authentication methods.
Passwords and PINs: User IDs combined with passwords or PINs are considered a
single-factor authentication technique. The degree of security provided depends on
password secrecy and encryption and on password length and composition. Further,
system configuration settings and password administration should be controlled via an
appropriate security policy.
Digital Certificates and PKI: Due to its complexity and costs, PKI has not been widely
deployed for retail-based electronic banking systems. It is an emerging tool, however, in
the commercial or business-to-business sector.
Physical Devices: Devices such as smart cards or tokens are typically part of a two-factor
authentication process, complemented by a password as the other factor. Authentication
cannot be completed unless the device is present.
Biometrics: A biometric identifier measures an individual’s unique physical
characteristics or behavior and compares it to a stored digital template for authentication.
The identifier can be created from sources such as the individual’s voice, fingerprints,
hand or face geometry, the iris or retina of an eye, or a signature. A biometric identifier
can be used as a single or multifactor process. Although not widely used in banking for
customer authentication in electronic banking applications, biometrics are increasingly
used for physical access control.
Monitoring and Reporting
An effective authentication system should include monitoring or audit features that assist
in the detection of fraud, compromised passwords, and unusual or other unauthorized
activities. The activation, review, and maintenance of audit logs should be standard
control procedures.
Adequate reporting mechanisms, including documentation trails, are needed to promptly
inform security administrators when users are no longer authorized to access a particular
system and to permit the timely and complete removal or suspension of user access
accounts when warranted. The security administrator’s actions should be documented in
activity reports and reviewed by an independent party to provide the needed checks and
balances. If critical systems or processes are outsourced to third parties, clients should
AMERICAN BANKERS ASSOCIATION
3
ensure that the appropriate logging and monitoring procedures are in place and that
suspected unauthorized activities are communicated to clients in a timely manner.
Frequently Asked Questions
1. Are single-factor methods (e.g., passwords) considered adequate for institution
users’ authentication to core processing systems and for customers’ authentication
to electronic banking systems at community banks?
Potentially, yes, depending on appropriate verification during account origination,
prudent system controls and standards relative to password administration, and effective
monitoring and reporting mechanisms. The following system control settings/processes
are considered integral to prudent password administration:
 Industry standards are migrating to the use of passwords with a minimum of 6
characters, comprised of a combination of letters, numbers, and special
characters;
 Locking out users after an excessive number of failed login attempts – industry
practice is generally no more than 5 unsuccessful attempts;
 Establishing risk-based password expiration intervals – industry practice is
migrating toward no greater than 90 days;
 Implementing a secure process for password originations and resets, including
forcing a password change at the next login;
 Preventing use of previously used passwords; and
 Terminating access after a specified interval of inactivity – industry practice is
generally not more than 20 minutes.
2. What guidance should financial institutions be providing to system users with
respect to password generation?
The security provided by a password is directly linked with its confidentiality.
Passwords should never be recorded in writing, nor shared with any other user, and the
use of readily available user identifiers should be strongly discouraged (e.g. the entire or
any part of a user’s Social Security number, birth date, etc.). Additionally, a password
consisting of a word found in the dictionary is subject to a greater risk of compromise
than one consisting of letters, numbers, and/or special characters.
3. Are FFIEC’s authentication guidelines designed to prompt community
institutions to strengthen existing authentication systems?
Yes, in a general sense. Recent examination findings suggest that community institutions
have generally not conducted risk assessments of the information systems deployed
enterprise-wide. Risk assessments and the corresponding determination of appropriate
authentication methods are needed for core application systems, network-based
applications and data, microcomputer-based applications and data, and for all
AMERICAN BANKERS ASSOCIATION
4
product/service delivery channels (e.g., ATMs, telephone banking systems, Internet
banking systems). In addition, risk assessments of all systems must now consider the
privacy and confidentiality of any nonpublic customer information relative to the
Interagency Guidelines for Safekeeping Customer Information.
4. What are some of the key considerations of deploying digital signatures and PKI,
physical devices such as smart cards or tokens, and biometric identifiers as
authentication methodologies?
The FFIEC’s August 2001 guidance document, “Authentication in an Electronic Banking
Environment,” provides a detailed discussion on each of these authentication methods
and their associated control considerations.
AMERICAN BANKERS ASSOCIATION
5