On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) on behalf of its members1 issued guidance titled, Authentication and Access to Financial Institution Services and Systems (the Guidance) to provide financial institutions with examples of effective risk management principles and practices for access and authentication. These principles and practices address business and consumer customers, employees, and third parties that access digital banking services and financial institution information systems.
The Guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011), which provided risk management practices for financial institutions offering Internet-based products and services. Additionally, the new Guidance acknowledges significant risks associated with the cybersecurity threat landscape that reinforce the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts, and data as well as employees, third parties, and system-to-system communications.
The new Guidance is not intended to serve as a comprehensive framework for identity and access management programs and does not endorse any specific information security framework or standard. It is relevant whether the financial institution or a third party, on behalf of the financial institution, provides the accessed information systems and authentication controls.
Highlights of the new Guidance. The Guidance presents risk management principles and practices that can support a financial institution’s authentication of: (a) users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices (collectively, users); and (b) consumer and business customers (collectively, customers) authorized to access digital banking services. The application of these principles and practices may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances.
Topics of this Guidance include:
• Conducting a risk assessment for access and authentication to digital banking and information systems.
• Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as Multi-Factor Authentication (MFA).
• Periodically evaluating the effectiveness of user and customer authentication controls.
• Implementing layered security to protect against unauthorized access.
• Monitoring, logging, and reporting of activities to identify and track unauthorized access.
• Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
• Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems.
• Maintaining awareness and education programs on authentication risks for users and customers.
• Verifying the identity of users and customers.
Threat Landscape. The system entry or access points (known as the attack surface) where an attacker can compromise a financial institution have expanded with the evolution of new technologies and broadly-used remote access points. Authentication risks may arise from:
• Expanded remote access to information systems;
• The types of devices and third parties accessing information systems;
• The use of application programming interfaces (APIs); and
• Financial institutions’ increased connectivity to third parties, such as cloud service providers.
Malicious activity resulting in compromise of customer and user accounts and information system security has shown that single-factor authentication, either alone or in combination with layered security, is inadequate in many situations.
Risk Assessment. A risk assessment evaluates risks, threats, vulnerabilities, and controls associated with access and authentication, and supports decisions regarding authentication techniques and access management practices. An integrated, enterprise-wide approach to a risk assessment includes inputs from a range of business functions or units – and before a new product or service is implemented.
Examples of effective risk assessment practices include:
- Inventory of Information Systems
- Inventory of Digital Banking Services and Customers
- Identify Customers Engaged in High-Risk Transactions
- Identify Users, including employees, service accounts, and users at third parties
- High-Risk User Identification
- Threat Identification
- Controls Assessment (initial and periodical)
Layered Security. Layered security incorporates multiple preventative, detective, and corrective controls, and is designed to compensate for potential weaknesses in any one control. Consistent with the assessed level of risk, the application of these controls can mitigate inherent risk associated with, and protect against unauthorized access to, information systems and digital banking services.
Relying only on a single control or authentication solution can increase risk to information systems and digital banking services. In a layered security approach, authentication controls are applied commensurate with the increasing risk level associated with a transaction or access to an information system.
Multi-Factor Authentication (MFA) as Part of Layered Security. Use of single-factor authentication as the only control mechanism has shown to be inadequate against system and user threats. When a financial institution management’s risk assessment indicates that single-factor authentication with layered security is inadequate, MFA or controls of equivalent strength as part of layered security can more effectively mitigate risks. When selecting an authentication solution, such as MFA, effective risk assessment practices consider whether any residual risk associated with the authentication solution isconsistent with the financial institution’s risk appetite and security policies.
MFA is defined as: An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are. MFA factors may include memorized secrets, look-up secrets, out-of-band devices, one-time password devices, biometrics identifiers, or crypto- graphic keys.
Monitoring, Logging, and Reporting. Monitoring, activity logging, and reporting processes and controls assist financial institution management in determining if attempted or realized unauthorized access to information systems and accounts has occurred.
Email Systems and Internet Browsers. Users’ email accounts and Internet browsers are common access points used by threat actors to gain unauthorized access, obtain or compromise sensitive data, or initiate fraud. These attacks frequently take advantage of misconfigured applications, operating systems, and unpatched vulnerabilities by using social engineering and phishing campaigns.
Call Center and IT Help Desk Authentication. Threat actors frequently have used social engineering and other techniques to deceive customer call center and IT help desk representatives into resetting passwords and other credentials, thereby granting threat actors access to information systems, user and customer accounts, or confidential information.
Data Aggregators and other Customer-Permissioned Entities. Data aggregators and other customer-permissioned entities (collectively, CPEs) provide data aggregation and other services to business and consumer customers. A comprehensive risk management program includes an assessment of risks and effective mitigating controls for credential and API-based authentication when CPEs access a financial institution’s information systems and customer information.
User and Customer Awareness and Education. A comprehensive customer awareness program educates customers about a range of authentication risks and other security considerations when using digital banking services. The customer awareness program can complement the layered security controls implemented to protect customers and can lower access and authentication risks. Failure to update customer awareness programs and resources to reflect changes in risks, such as the introduction of a faster payments service, has been shown to cause such programs to become ineffective over time. Any related marketing that is inconsistent with the description of security risks in customer awareness programs could raise legal compliance risks.
Consider the following examples when developing customer and personnel awareness training (asapplicable):
- An explanation of how customers can determine the legitimacy of communications from the financial institution, particularly communications that seek information that could be used to access the customer’s account.
- An explanation of controls the financial institution offers that customers can use to mitigate risk, such as MFA.
- An explanation of communication mechanisms that customers may use to monitor account activity, such as transaction alerts.
- A listing of financial institution contacts that customers may use to report suspicious account activity or information security-related events.
- Educational information regarding prevalent external threats and methods used to illegally access accounts and account information, such as phishing, social engineering, mobile-based trojans, and business email compromise.
- An explanation of situations in which the institution uses enhanced authentication controls, such as call center contact or certain types of account activity like password reset.
- An explanation of the legal and other rights and protections a customer may have in the event of unauthorized access to an account, including protections under Regulation E.
- For employees, board members, and other users accessing a financial institution’s information systems, education can include training and testing programs on authentication-related scenarios such as phishing and social engineering.
Customer and User Identity Verification. Reliable identity verification methods can help reduce risk when establishing new customer accounts and when access is first requested for new users of information systems. Financial institution management may consult their primary federal regulator or state supervisor, or FFIEC and Financial Crimes Enforcement Network guidance and resources for information about customer identity verification.
The Appendix to the Guidance lists examples of practices or controls related to access management, authentication, and supporting controls. Practices and controls are part of the continuously evolving security landscape and the effectiveness of the listed practices and controls may change. Note that the Appendix is provided as a reference and does not represent an all-inclusive list of practices or controls or characterize a comprehensive information security program. Additionally, the Guidance provides a list of Additional Resources that financial institutions are encouraged to consider when enhancing their authentication protocols.
1The Council has six voting members: a member of the Board of Governors of the Federal Reserve System, the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the National Credit Union Administration; the Comptroller of the Currency of the Office of the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee.