The Federal Financial Institutions Examination Council (FFIEC) is urging financial institutions to abandon single-factor authentication in favor of more secure methods, like biometrics, in guidance on digital payments. The FFIEC has updated its Retail Payment Services Handbook with an appendix on mobile financial services, adding another argument to the corporate and regulatory case for biometric authentication. The FFIEC is an advisory body made up of representatives from five federal agencies and a state regulator, and is tasked with setting the standards and principles bodies like the Federal Reserve and the Federal Deposit Insurance Corporation use to examine financial institutions. It added the new appendix in response to increased usage of the mobile and digital banking channel.
Appendix E 5.b Authentication and authorization states that: “Depending on the technology used and associated level of risk, financial institutions may consider biometric (e.g., voice, fingerprint, facial recognition) or out-of-band authentication processes. The financial institution should not use mobile payment applications that rely on less secure (e.g., single factor) methods of authentication.” The appendix highlights the complexity mobile technology infrastructure and specific vulnerabilities, describing risk factors related to SMS messages, mobile-enabled websites, mobile applications and mobile payments.
Todd Thiemann, vice president of marketing for Nok Nok Labs, says the guidance dovetails with the recent release of draft revisions by the Nation Institute of Standards and Technology (NIST) to the Security and Privacy Controls for Federal Information Systems and Organizations. Theupdate to NIST Special Publication 800-53, released for comment earlier this year, responds to the growth of malware capturing one-time passwords (OTPs) delivered by SMS by recommending against using them as an authentication method.
“NIST is saying move away from SMS OTPs while the FFIEC looks to provide compensating controls without saying explicitly don’t use SMS OTPs,” Thiemann notes.
That strikes down an early replacement for basic username and password combinations. But as financial institutions attempt to find more secure ways to authenticate users than simple usernames and passwords, user experience is motivating them to authenticate users with biometrics.
“They’re motivation is typically improving user experience so their brand shines,” Thiemann says. “They can get more customers, or they can leverage those customers from bank branches to the less expensive digital channels. It’s about ease of use and enabling the business for them. The FFIEC guidance for mobile financial services focuses on security.”
Big banks have already begun rolling out biometrics among their mobile authentication options, and Thiemann says a quick check of ten large US banks shows eight have Touch ID-enabled authentication, and two have Android fingerprint-enabled authentication.
Nok Nok clients using biometric authentication for mobile transactions found a decrease in fraud using A/B testing, Thiemann says, but also an increase in the total number of transactions. Benefiting both aspects of the business is what makes biometrics a likely long-term solution for financial institutions.
“Mobile banking is one of the rare situations where you can have a better customer experience and better security,” Thiemann says. “That’s what biometrics enables. That’s also what the FIDO standard helps enable. So you can move beyond this aging and flawed username password paradigm to embrace biometrics. The FFIEC guidance shows a path to achieve that and maintain that and maintain solid security.”
The path laid out by the FFIEC is less prescriptive than it was in the past, according to Ben Knieff, Senior Analyst at Aite Group, instead becoming more risk-base oriented. Knieff says “this is a good thing and enables institutions and vendors to focus on the actual results rather than often ineffective details of prescriptive regulation.”
Like the FIDO Alliance and NIST, the FFIEC is seeking to guide adoption and implementation decisions towards ensuring the security of user identities, regardless of the specific solution. Whatever technology is used, and no matter how much user experience is prioritized in the decision, an implementation that meets the appropriate standards for authentication will maintain the security of both the financial institution and the end user.
“The key for institutions is to think about a range of authentication options that each have strengths and weaknesses in different contexts, and a decision framework to present the most appropriate authentication for the transaction, device, and customer risk,” Knieff says.
The decision framework leaves many options, but the practical scope of those options seems to be narrowing. Thiemann anticipates that the FFIEC will soon follow the NIST in specifically advising against the use of SMS OTPs. Knieff says the increasing capabilities of mobile devices provide institutions with a variety of options, and that “in the coming years it is likely that authentication on mobile will be stronger and more convenient than in other channels.”
Thiemann points out that global regulators look to each other and the FFIEC as they attempt to keep up with technology and business developments, so the new guidance is likely an indication of the common global regulatory path.
“It’s causing a fair amount of buzz in the financial services world because retail financial institutions are very attentive to the FFIEC guidance,” Thiemann says.
Companies providing mobile biometric authentication to financial institutions have a market which is ready wherever it is not already established.
Biometric authentication was used by 120 million banking customers daily in 2015, according to a Goode Intelligence report, another sign that it is a matter of which, not whether biometrics will dominate the market for mobile user authentication by financial institutions.