The Federal Financial Institutions Examination Council has issued guidance to financial institutions on effective authentication and access risk management principles and practices, titled
Authentication and Access to Financial Institution Services and Systems.
The guidance replaced is previously issued Authentication in an Internet Banking Environment and the Supplement to Authentication in an Internet Banking Environment.
The new guidance addresses a financial institution’s risk assessment, critical for determining appropriate access and authentication practices; authentication practices for users such as customers, employees, and third parties accessing financial institution systems and services; and how multi-factor authentication, or controls of equivalent strength, can be used to effectively mitigate risks of unauthorized access.
The guidance also includes:
- Highlights on the current cybersecurity threat environment, including increased remote access by customers and users, and attacks that leverage compromised credentials. It also mentions the risks arising from push payment capabilities.
- Recognition of the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services.
- Support of a financial institution’s adoption of layered security. It also underscores weaknesses in single-factor authentication.
- Discussions on how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks.
- Examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management.