Two Factor Authentication Take a Tour Compare Solutions

Contact Sales:
sales@comodogroup.com

Telephone:
Tel: + 1.888.266.6361
Tel: + 1.703.581.6361

The FFIEC guidelines

In October 2005, the Federal Financial Institutions Examination Council (FFIEC) updated new guidance stating that current authentication methods are not sufficiently secure. The FFIEC recommended that banks have a plan to implement “stronger” forms of authentication (i.e. two factor authentication as opposed to one) by the end of 2006. They also recommended that banks put in place a “mutual” or multifactor authentication solution whereby the banks not only authenticates its online customers, but the customer can authenticate the banks legitimate website.

Some highlights of the FFIEC guidelines are:

  • Financial institutions offering internet-based products and services should use effective methods to authenticate the identity of customers using those products and services
  • Single factor authentication methodologies may not provide sufficient protection for internet-based financial services.
  • The FFIEC agencies consider single-factor authentication, when used as the only control mechanisms, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions need to investigate two factor authentication methods in order to provide adequate, strong authentication for online customers
  • Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.

The most urgent requirement for organizations in 2006 is for the bank to conduct a complete risk assessment to identify vulnerabilities. They recommend that institutions carefully research security authentication methods that will be reliable, scalable and interoperable with existing and future infrastructures.

The FFIEC also recommends that banks put in place a “mutual” or two factor authentication solution whereby the bank not only authenticates its online customers, but the customer can authenticate the bank website.

The Mutual Authentication Model

Online fraudsters have technologically outpaced the security measures that most financial institutions have put in place.

This model (see Figure 1) visualizes the reciprocity of the mutual authentication model – Bank can authenticate the user (BTU) and the User can authenticate the Bank (UTB). Much of the FFIEC Guidelines (and, not surprisingly, the industry's solutions) focus on the BTU authentication aspect of the equation while ignoring the need for Users to authenticate the bank. Why has this occurred? Largely because it was assumed that SSL padlock were enough to establish site legitimacy. However, that is simply not the case. SSL certificates do not always authenticate the business legitimacy of the site or worse still the padlock can be faked. However, unless the User authenticates the bank as a legitimate site, subsequent solutions will provide no security to the customer and their financial details may be stolen.

Mutual Authentication Model

Comodo Two Factor Authentication ensures FFIEC compliance

Comodo Solution for customer to authenticate the bank: Content Verification Certificate

CVCs, as part of Comodo’s mutual, multifactor authentication solution, ensure that digital content (such as website login boxes and graphics) and site identity can be verified in real time and without disrupting the normal transaction process.

Comodo's See Verify Trust technology takes the bank's web content, IP addresses and domain names, and embeds them into a digital Content Verification Certificate (CVC). Online banking customers simply roll their cursor over the website's content that contains a CVC, and Verification Engine displays a green border outside the browser. CVC’s are one half of Comodo’s two factor authentication solution.

Using the proven PKI platform for security authentication of websites to end users, CVCs prove that a bank site has been validated and is safe for online banking.

CVC’s can protect content such as:

  • Website login boxes – proving to a user they are accessing the genuine website
  • Contact or rate cards – prove it has not been tampered with
  • Third party credentials, (like FDIC, BBB online) can be verified.

Comodo Solution for bank to authenticate the customer: PC Certificates

Digital Client certificates are an easy to deploy, affordable, secure and convenient solution for banks to authenticate customers. Digital PC certificates can be delivered electronically while providing strong two factor authentication of users. They authenticate the user's pc and identity code.

They can be stored directly on a user's computer or, for portability, they can be stored on smart cards, tokens or USB devices. A PKI client certificate provides strong authentication of users and assures the bank that the user logging in is indeed the bank’s customer. Comodo digital Client certificates are the other half of Comodo’s two factor authentication solution.

Learn more about FFIEC compliance and Comodo’s two factor authentication and multifactor authentication solutions.

Comodo™ is a leading global provider of security, digital e-commerce & identity and trust assurance services for the Internet. Comodo help enterprises improve customer trust and create efficiencies across their digital e-commerce operations by Establishing Trust™ initiatives for e-Business, curbing Phishing attacks and creating an Identity Assurance and Brand Protection framework. Comodo offerings cover SSL Certificates, internet fax services, web hosting automation, infrastructure services, network vulnerability auditing, managed enterprise security and a growing suite of free customer privacy and network security solutions.