View PDF

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

Federal Reserve Bank of Dallas
2200 N. PEARL ST.
DALLAS, TX 75201-2272

October 27, 2005
Notice 05-68

TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District

SUBJECT
Interagency Guidance on Authentication in an
Internet Banking Environment
DETAILS
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance titled
Authentication in an Internet Banking Environment. This guidance updates and replaces the
FFIEC’s Authentication in an Electronic Banking Environment issued in 2001 and specifically
addresses the need for risk-based assessments, customer awareness, and security measures to
reliably authenticate customers accessing financial institutions’ Internet-based services. The
guidance also emphasizes that the agencies consider single-factor authentication, if it is the only
control mechanism, to be inadequate for high-risk transactions involving access to customer
information or the movement of funds to other parties.
ATTACHMENTS
A copy of the Board’s SR letter 05-19 dated October 13, 2005, and the FFIEC’s guidance
are attached.
MORE INFORMATION
For more information, please contact Gary Krumm, (214) 922-6218, Banking Supervision
Department. Previous Federal Reserve Bank notices are available on our web site at
www.dallasfed.org/banking/notices/index.html or by contacting the Public Affairs Department
at (214) 922-5254.

For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.

BOARD OF GOVERNORS
OF THE

FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551

DIVISION OF BANKING
SUPERVISION AND
REGULATION

SR 05-19
October 13, 2005
TO THE OFFICER IN CHARGE OF SUPERVISION AND
APPROPRIATE SUPERVISORY AND EXAMINATION STAFF
AT EACH FEDERAL RESERVE BANK, AND TO BANKING
ORGANIZATIONS SUPERVISED BY THE FEDERAL
RESERVE
SUBJECT: Interagency Guidance on Authentication in an Internet Banking Environment
The Federal Financial Institutions Examination Council (FFIEC) has issued the
attached guidance titled Authentication in an Internet Banking Environment. This guidance
updates and replaces the FFIEC's Authentication in an Electronic Banking Environment
issued in 2001 and specifically addresses the need for risk-based assessments, customer
awareness, and security measures to reliably authenticate customers accessing financial
institutions' Internet-based services. The guidance also emphasizes that the agencies
consider single-factor authentication, if it is the only control mechanism, to be inadequate for
high-risk transactions involving access to customer information or the movement of funds to
other parties.
This guidance applies to both retail and commercial customers and does not
endorse any particular technology. Financial institutions should use this guidance when
evaluating and implementing authentication systems and practices whether they are provided
internally or by a technology service provider. Although this guidance is focused on the risks
and risk management techniques associated with the Internet delivery channel, the principles
are applicable to all forms of electronic banking activities.
Consistent with the FFIEC's Information Security Booklet (December 2002), which
is incorporated in the Information Technology Examination Handbook, financial institutions
should periodically:
Ensure that their information security programs:
Identify and assess the risks associated with the full range of
Internet-based products and services,
Identify risk mitigation actions, including appropriate measures to
verify and authenticate customers, and
Measure and evaluate customer awareness efforts;

1 of 2

Establish, evaluate, and adjust, as appropriate, their information security
programs in light of any relevant changes in technology, the sensitivity
of their customer information, and internal or external threats to
information; and
Implement appropriate risk mitigation strategies.
Examiners should begin to assess financial institutions' progress in meeting the
expectations outlined in the guidance and thereafter monitor ongoing conformance as needed
during the risk-focused examination process. Financial institutions will be expected to have
achieved conformance with the guidance by year-end 2006. Examiners should document
situations where financial institutions have not achieved conformance with the guidance by
that time.
Federal Reserve Banks are asked to distribute this letter and the interagency
guidance to banking organizations supervised by the Federal Reserve, as well as to their
supervisory and examination staff. If you have any questions concerning this guidance,
please contact Stacy Coleman, Assistant Director, Operational and IT Risk Section, at
(202) 452-2934 or Elton Hill, Senior Supervisory Financial Analyst, at (202) 452-2514.
Richard Spillenkothen
Director

Attachment:
Supersedes:

2 of 2

Authentication in an Internet Banking Environment (124 KB PDF)
FFIEC Guidance on Authentication (SR 01-20 (SUP))

Federal Financial Institutions Examination Council (FFIEC)

Federal Financial Institutions Examination Council

3501 Fairfax Drive • Room 3086 • Arlington, VA 22226-3550 • (703) 516-5588 • FAX (703) 516-5487 • http://www.ffiec.gov

Authentication in an Internet Banking Environment

Purpose
On August 8, 2001, the FFIEC agencies1 (agencies) issued guidance entitled Authentication in
an Electronic Banking Environment (2001 Guidance). The 2001 Guidance focused on risk
management controls necessary to authenticate the identity of retail and commercial customers
accessing Internet-based financial services. Since 2001, there have been significant legal and
technological changes with respect to the protection of customer information;2 increasing
incidents of fraud, including identity theft; and the introduction of improved authentication
technologies. This updated guidance replaces the 2001 Guidance and specifically addresses
why financial institutions regulated by the agencies should conduct risk-based assessments,
evaluate customer awareness programs, and develop security measures to reliably authenticate
customers remotely accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and does not endorse any
particular technology. Financial institutions should use this guidance when evaluating and
implementing authentication systems and practices whether they are provided internally or by
a service provider. Although this guidance is focused on the risks and risk management
techniques associated with the Internet delivery channel, the principles are applicable to all
forms of electronic banking activities.
Summary of Key Points
The agencies consider single-factor authentication, as the only control mechanism, to be
inadequate for high-risk transactions involving access to customer information or the
movement of funds to other parties. Financial institutions offering Internet-based products and
services to their customers should use effective methods to authenticate the identity of
customers using those products and services. The authentication techniques employed by the
financial institution should be appropriate to the risks associated with those products and
services. Account fraud and identity theft are frequently the result of single-factor (e.g.,
ID/password) authentication exploitation. Where risk assessments indicate that the use of

1

Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
2
Customer information means any record containing nonpublic personal information as defined in the
Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B
(OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part
570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).

single-factor authentication is inadequate, financial institutions should implement multifactor
authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Consistent with the FFIEC Information Technology Examination Handbook, Information
Security Booklet, December 2002, financial institutions should periodically:
•

Ensure that their information security program:
– Identifies and assesses the risks associated with Internet-based products and services,
– Identifies risk mitigation actions, including appropriate authentication strength, and
– Measures and evaluates customer awareness efforts;

•

Adjust, as appropriate, their information security program in light of any relevant changes
in technology, the sensitivity of its customer information, and internal or external threats
to information; and

•

Implement appropriate risk mitigation strategies.

Background
Financial institutions engaging in any form of Internet banking should have effective and
reliable methods to authenticate customers. An effective authentication system is necessary for
compliance with requirements to safeguard customer information,3 to prevent money
laundering and terrorist financing,4 to reduce fraud, to inhibit identity theft, and to promote the
legal enforceability of their electronic agreements and transactions. The risks of doing business
with unauthorized or incorrectly identified persons in an Internet banking environment can
result in financial loss and reputation damage through fraud, disclosure of customer
information, corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial institutions can use to
authenticate customers. These methods include the use of customer passwords, personal
identification numbers (PINs), digital certificates using a public key infrastructure (PKI),
physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types
of “tokens”, transaction profile scripts, biometric identification, and others. (The appendix to
this guidance contains a more detailed discussion of authentication techniques.) The level of
risk protection afforded by each of these techniques varies. The selection and use of
authentication technologies and methods should depend upon the results of the financial
institution’s risk assessment process.
3

The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the
Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of
persons who obtain or have obtained a financial product or service to be used primarily for personal, family or
household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a
similar rule.
4
The regulations implementing section 326 of the USA PATRIOT Act, 31 USC § 5318(l), require banks, savings
associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12
CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12
CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured
branch, an agency, or a representative office of a foreign financial institution operating in the United States
(FRB); and 12 CFR Part 748.2 (NCUA).

2

Existing authentication methodologies involve three basic “factors”:
•

Something the user knows (e.g., password, PIN);

•

Something the user has (e.g., ATM card, smart card); and

•

Something the user is (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to compromise
than single-factor methods. Accordingly, properly designed and implemented multifactor
authentication methods are more reliable and stronger fraud deterrents. For example, the use
of a logon ID/password is single-factor authentication (i.e., something the user knows);
whereas, an ATM transaction requires multifactor authentication: something the user possesses
(i.e., the card) combined with something the user knows (i.e., PIN). A multifactor
authentication methodology may also include “out–of–band”5 controls for risk mitigation.
The success of a particular authentication method depends on more than the technology. It
also depends on appropriate policies, procedures, and controls. An effective authentication
method should have customer acceptance, reliable performance, scalability to accommodate
growth, and interoperability with existing systems and future plans.
Risk Assessment
The implementation of appropriate authentication methodologies should start with an
assessment of the risk posed by the institution’s Internet banking systems. The risk should be
evaluated in light of the type of customer (e.g., retail or commercial); the customer
transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of
customer information being communicated to both the institution and the customer; the ease of
using the communication method; and the volume of transactions. Prior agency guidance has
elaborated on this risk-based and “layered” approach to information security.6
An effective authentication program should be implemented to ensure that controls and
authentication tools are appropriate for all of the financial institution’s Internet-based products
and services. Authentication processes should be designed to maximize interoperability and
should be consistent with the financial institution’s overall strategy for Internet banking and
electronic commerce customer services. The level of authentication used by a financial
institution in a particular application should be appropriate to the level of risk in that
application.
A comprehensive approach to authentication requires development of, and adherence to, the
institution’s information security standards, integration of authentication processes within the
overall information security framework, risk assessments within lines of businesses supporting
5

Out–of–band generally refers to additional steps or actions taken beyond the technology boundaries of a typical
transaction. Callback (voice) verification, e-mail approval or notification, and cell–phone based challenge/
response processes are some examples.
6
FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002; FFIEC
Information Technology Examination Handbook, E-Banking Booklet, August 2003.

3

selection of authentication tools, and central authority for oversight and risk monitoring. This
authentication process should be consistent with and support the financial institution’s overall
security and risk management programs.
The method of authentication used in a specific Internet application should be appropriate and
reasonable, from a business perspective, in light of the reasonably foreseeable risks in that
application. Because the standards for implementing a commercially reasonable system may
change over time as technology and other procedures develop, financial institutions and
technology service providers should develop an ongoing process to review authentication
technology and ensure appropriate changes are implemented.
The agencies consider single-factor authentication, as the only control mechanism, to be
inadequate for high-risk transactions involving access to customer information or the
movement of funds to other parties. Single-factor authentication tools, including passwords
and PINs, have been widely used for a variety of Internet banking and electronic commerce
activities, including account inquiry, bill payment, and account aggregation. However,
financial institutions should assess the adequacy of such authentication techniques in light of
new or changing risks such as phishing, pharming,7 malware,8 and the evolving sophistication
of compromise techniques. Where risk assessments indicate that the use of single-factor
authentication is inadequate, financial institutions should implement multifactor authentication,
layered security, or other controls reasonably calculated to mitigate those risks.
The risk assessment process should:
•

Identify all transactions and levels of access associated with Internet-based customer
products and services;

•

Identify and assess the risk mitigation techniques, including authentication methodologies,
employed for each transaction type and level of access; and

•

Include the ability to gauge the effectiveness of risk mitigation techniques for current and
changing risk factors for each transaction type and level of access.

Account Origination and Customer Verification
With the growth in electronic banking and commerce, financial institutions should use reliable
methods of originating new customer accounts online. Moreover, customer identity
verification during account origination is required by section 326 of the USA PATRIOT Act
and is important in reducing the risk of identity theft, fraudulent account applications, and
unenforceable account agreements or transactions. Potentially significant risks arise when a
financial institution accepts new customers through the Internet or other electronic channels
because of the absence of the physical cues that financial institutions traditionally use to
identify persons.
7

Similar in nature to e-mail phishing, pharming seeks to obtain personal information by directing users to spoofed
Web sites where their information is captured, usually from a legitimate–looking form.
8
Short for malicious software, such as software designed to capture and forward private information such as ID’s,
passwords, account numbers, and PINs.

4

One method to verify a customer’s identity is a physical presentation of a proof of identity
credential such as a driver's license. Similarly, to establish the validity of a business and the
authority of persons to perform transactions on its behalf, financial institutions typically review
articles of incorporation, business credit reports, board resolutions identifying officers and
authorized signers, and other business credentials. However, in an Internet banking
environment, reliance on these traditional forms of paper-based verification decreases
substantially. Accordingly, financial institutions need to use reliable alternative methods.
(The appendix to this guidance describes verification processes in more detail.)
Monitoring and Reporting
Monitoring systems can determine if unauthorized access to computer systems and customer
accounts has occurred. A sound authentication system should include audit features that can
assist in the detection of fraud, money laundering, compromised passwords, or other
unauthorized activities. The activation and maintenance of audit logs can help institutions to
identify unauthorized activities, detect intrusions, reconstruct events, and promote employee
and user accountability. In addition, financial institutions should report suspicious activities to
appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.9
Financial institutions should rely on multiple layers of control to prevent fraud and safeguard
customer information. Much of this control is not based directly upon authentication. For
example, a financial institution can analyze the activities of its customers to identify suspicious
patterns. Financial institutions also can rely on other control methods, such as establishing
transaction dollar limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security administrators when
users are no longer authorized to access a particular system and to permit the timely removal or
suspension of user account access. Furthermore, if critical systems or processes are outsourced
to third parties, management should ensure that the appropriate logging and monitoring
procedures are in place and that suspected unauthorized activities are communicated to the
institution in a timely manner. An independent party (e.g., internal or external auditor) should
review activity reports documenting the security administrators’ actions to provide the
necessary checks and balances for managing system security.
Customer Awareness
Financial institutions have made, and should continue to make, efforts to educate their
customers. Because customer awareness is a key defense against fraud and identity theft,
financial institutions should evaluate their consumer education efforts to determine if
additional steps are necessary. Management should implement a customer awareness program
9

31 USC 5318; 12 CFR 21.11 (OCC); 12 CFR 563.180 (OTS); 12 CFR 353 (FDIC); 12 CFR 208.62 [state
member banks]; 12 CFR 211.5 (k) [edge or agreement corporation, or any branch or subsidiary thereof]; 12 CFR
211.24 (f) [uninsured branch, an agency, or a representative office of a foreign financial institution operating in
the United States]; 12 CFR 225.4 (f) [bank holding company or any non bank subsidiary thereof] (FRB); and 12
CFR Part 748.1 and Part 748.2 (NCUA).

5

and periodically evaluate its effectiveness. Methods to evaluate a program’s effectiveness
include tracking the number of customers who report fraudulent attempts to obtain their
authentication credentials (e.g., ID/password), the number of clicks on information security
links on Web sites, the number of statement stuffers or other direct mail communications, the
dollar amount of losses relating to identity theft, etc.
Conclusion
Financial institutions offering Internet-based products and services should have reliable and
secure methods to authenticate their customers. The level of authentication used by the
financial institution should be appropriate to the risks associated with those products and
services. Financial institutions should conduct a risk assessment to identify the types and
levels of risk associated with their Internet banking applications. Where risk assessments
indicate that the use of single-factor authentication is inadequate, financial institutions should
implement multifactor authentication, layered security, or other controls reasonably calculated
to mitigate those risks. The agencies consider single-factor authentication, as the only control
mechanism, to be inadequate in the case of high-risk transactions involving access to customer
information or the movement of funds to other parties.

6

Appendix10
Background
The term authentication, as used in this guidance, describes the process of verifying the
identity of a person or entity. Within the realm of electronic banking systems, the
authentication process is one method used to control access to customer accounts and personal
information. Authentication is typically dependent upon customers providing valid
identification data followed by one or more authentication credentials (factors) to prove their
identity.
Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote
access. An authentication factor (e.g. PIN or password) is secret or unique information linked
to a specific customer identifier that is used to verify that identity.
Generally, the way to authenticate customers is to have them present some sort of factor to
prove their identity. Authentication factors include one or more of the following:
•

Something a person knows—commonly a password or PIN. If the user types in the
correct password or PIN, access is granted.

•

Something a person has—most commonly a physical device referred to as a token.
Tokens include self-contained devices that must be physically connected to a
computer or devices that have a small screen where a one-time password (OTP) is
displayed, which the user must enter to be authenticated.

•

Something a person is—most commonly a physical characteristic, such as a fingerprint,
voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of
authentication is referred to as “biometrics” and often requires the installation of specific
hardware on the system to be accessed.

Authentication methodologies are numerous and range from simple to complex. The level of
security provided varies based upon both the technique used and the manner in which it is
deployed. Single-factor authentication involves the use of one factor to verify customer
identity. The most common single-factor method is the use of a password. Two-factor
authentication is most widely used with ATMs. To withdraw money from an ATM, the
customer must present both an ATM card (something the person has) and a password or PIN
(something the person knows). Multifactor authentication utilizes two or more factors to verify
customer identity. Authentication methodologies based upon multiple factors can be more
difficult to compromise and should be considered for high-risk situations. The effectiveness of
a particular authentication technique is dependent upon the integrity of the selected product or
process and the manner in which it is implemented and managed.

10

This Appendix is based upon the FDIC Study – “Putting an End to Account-Hijacking Identity Theft”
(December 14, 2004) and the FDIC Study Supplement (June 17, 2005).

7

Authentication Techniques, Processes, and Methodologies
Material provided in the following sections is for informational purposes only. The selection
and use of any technique should be based upon the assessed risk associated with a particular
electronic banking product or service.
Shared Secrets
Shared secrets (something a person knows) are information elements that are known or shared
by both the customer and the authenticating entity. Passwords and PINs are the best known
shared secret techniques but some new and different types are now being used as well. Some
additional examples are:
•

Questions or queries that require specific customer knowledge to answer, e.g., the exact
amount of the customer’s monthly mortgage payment.

•

Customer-selected images that must be identified or selected from a pool of images.

The customer’s selection of a shared secret normally occurs during the initial enrollment
process or via an offline ancillary process. Passwords or PIN values can be chosen, questions
can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic
change. Shared secrets that never change are described as “static” and the risk of compromise
increases over time. The use of multiple shared secrets also provides increased security
because more than one secret must be known to authenticate.
Shared secrets can also be used to authenticate the institution’s Web site to the customer. This
is discussed in the Mutual Authentication section.
Tokens
Tokens are physical devices (something the person has) and may be part of a multifactor
authentication scheme. Three types of tokens are discussed here: the USB token device, the
smart card, and the password-generating token.
USB Token Device
The USB token device is typically the size of a house key. It plugs directly into a computer’s
USB port and therefore does not require the installation of any special hardware on the user’s
computer. Once the USB token is recognized, the customer is prompted to enter his or her
password (the second authenticating factor) in order to gain access to the computer system.
USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are
tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and
credentials. The device has the ability to store digital certificates that can be used in a public
key infrastructure (PKI) environment.
8

The USB token is generally considered to be user-friendly. Its small size makes it easy for the
user to carry and, as noted above, it plugs into an existing USB port; thus the need for
additional hardware is eliminated.
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables it to store
and process data. Inclusion of the microprocessor enables software developers to use more
robust authentication schemes. To be used, a smart card must be inserted into a compatible
reader attached to the customer’s computer. If the smart card is recognized as valid (first
factor), the customer is prompted to enter his or her password (second factor) to complete the
authentication process.
Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure
vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use.
Their primary disadvantage as a consumer authentication device is that they require the
installation of a hardware reader and associated software drivers on the consumer’s home
computer.
Password-Generating Token
A password-generating token produces a unique pass-code, also known as a one-time password
each time it is used. The token ensures that the same OTP is not used consecutively. The OTP
is displayed on a small screen on the token. The customer first enters his or her user name and
regular password (first factor), followed by the OTP generated by the token (second factor).
The customer is authenticated if (1) the regular password matches and (2) the OTP generated
by the token matches the password on the authentication server. A new OTP is typically
generated every 60 seconds—in some systems, every 30 seconds. This very brief period is the
life span of that password. OTP tokens generally last 4 to 5 years before they need to be
replaced.
Password-generating tokens are secure because of the time-sensitive, synchronized nature of
the authentication. The randomness, unpredictability, and uniqueness of the OTPs
substantially increase the difficulty of a cyber thief capturing and using OTPs gained from
keyboard logging.
Biometrics
Biometric technologies identify or authenticate the identity of a living person on the basis of a
physiological or physical characteristic (something a person is). Physiological characteristics
include fingerprints, iris configuration, and facial structure. Physical characteristics include,
for example, the rate and flow of movements, such as the pattern of data entry on a computer
keyboard. The process of introducing people into a biometrics-based system is called
“enrollment.” In enrollment, samples of data are taken from one or more physiological or
physical characteristics; the samples are converted into a mathematical model, or template; and
the template is registered into a database on which a software application can perform analysis.
9

Once enrolled, customers interact with the live-scan process of the biometrics technology. The
live scan is used to identify and authenticate the customer. The results of a live scan, such as a
fingerprint, are compared with the registered templates stored in the system. If there is a
match, the customer is authenticated and granted access.
Biometric identifiers are most commonly used as part of a multifactor authentication system,
combined with a password (something a person knows) or a token (something a person has).
Various biometric techniques and identifiers are being developed and tested, these include:
•
•
•
•
•
•
•
•

fingerprint recognition;
face recognition;
voice recognition;
keystroke recognition;
handwriting recognition;
finger and hand geometry;
retinal scan; and
iris scan.

Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition
and face recognition.
Fingerprint Recognition
Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along
with small unique marks known as minutiae, which are the ridge endings and bifurcations or
branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense
and the density explains why fingerprints are a very reliable means of identification.
Fingerprint recognition systems store only data describing the exact fingerprint minutiae;
images of actual fingerprints are not retained. Fingerprint scanners may be built into computer
keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a
computer.
Fingerprints are unique and complex enough to provide a robust template for authentication.
Using multiple fingerprints from the same individual affords a greater degree of accuracy.
Fingerprint identification technologies are among the most mature and accurate of the various
biometric methods of identification.11
Although end users should have little trouble using a fingerprint-scanning device, special
hardware and software must be installed on the user’s computer. Fingerprint recognition
implementation will vary according to the vendor and the degree of sophistication required.
This technology is not portable since a scanning device needs to be installed on each
participating user’s computer. However, fingerprint biometrics is generally considered easier
11

Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric
technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing
lost or stolen cards.

10

to install and use than other, more complex technologies, such as iris scanning. Enrollment can
be performed either at the financial institution’s customer service center or remotely by the
customer after he or she has received setup instructions and passwords. According to
fingerprint technology vendors, there are several scenarios for remote enrollment that provide
adequate security, but for large-dollar transaction accounts, the institution should consider
requiring that customers appear in person.
Face Recognition
Most face recognition systems focus on specific features on the face and make a twodimensional map of the face. Newer systems make three-dimensional maps. The systems
capture facial images from video cameras and generate templates that are stored and used for
comparisons. Face recognition is a fairly young technology compared with other biometrics
like fingerprints.
Facial scans are only as good as the environment in which they are collected. The so-called
“mug shot” environment is ideal. The best scans are produced under controlled conditions
with proper lighting and proper placement of the video device. As part of a highly sensitive
security environment, there may be several cameras collecting image data from different
angles, producing a more exact scan. Certain facial scanning applications also include tests for
liveness, such as blinking eyes. Testing for liveness reduces the chance that the person
requesting access is using a photograph of an authorized individual.
Non-Hardware-Based One-Time-Password Scratch Card
Scratch cards (something a person has) are less-expensive, “low-tech” versions of the OTP
generating tokens discussed previously. The card, similar to a bingo card or map location
look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a
grid. The size of the card determines the number of cells in the grid.
Used in a multifactor authentication process, the customer first enters his or her user name and
password in the established manner. Assuming the information is input correctly, the customer
will then be asked to input, as a second authentication factor, the characters contained in a
randomly chosen cell in the grid. The customer will respond by typing in the data contained in
the grid cell element that corresponds to the challenge coordinates.
Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or
defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry.
This type of authentication requires no training and, if the card is lost, replacement is relatively
easy and inexpensive.
Out-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the individual
originating a transaction to be verified through a channel different from the one the customer is
using to initiate the transaction. This type of layered authentication has been used in the
commercial banking/brokerage business for many years. For example, funds transfer requests,
11

purchase authorizations, or other monetary transactions are sent to the financial institution by
the customer either by telephone or by fax. After the institution receives the request, a
telephone call is usually made to another party within the company (if a business-generated
transaction) or back to the originating individual. The telephoned party is asked for a
predetermined word, phrase, or number that verifies that the transaction was legitimate and
confirms the dollar amount. This layering approach precludes unauthorized transactions and
identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal
point was misplaced and the amount came back as $100,000.00.
In today’s environment, the methods of origination and authentication are more varied. For
example, when a customer initiates an online transaction, a computer or network-based server
can generate a telephone call, an e-mail, or a text message. When the proper response (a
verbal confirmation or an accepted-transaction affirmation) is received, the transaction is
consummated.
Internet Protocol Address (IPA) Location and Geo-Location
One technique to filter an online transaction is to know who is assigned to the requesting
Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either
by an Internet Service Provider or as part of the user’s network. If all users were issued a
unique IPA that was constantly maintained on an official register, authentication by IPA would
simply be a matter of collecting IPAs and cross-referencing them to their owners. However,
IPAs are not owned, may change frequently, and in some cases can be “spoofed.”
Additionally, there is no single source for associating an IPA with its current owner, and in
some cases matching the two may be impossible.
Some vendors have begun offering software products that identify several data elements,
including location, anonymous proxies, domain name, and other identifying attributes referred
to as “IP Intelligence.” The software analyzes this information in a real-time environment and
checks it against multiple data sources and profiles to prevent unauthorized access. If the
user’s IPA and the profiled characteristics of past sessions match information stored for
identification purposes, the user is authenticated. In some instances the software will detect
out-of-character details of the access attempt and quickly conclude that the user should not be
authenticated.
Geo-location technology is another technique to limit Internet users by determining where they
are or, conversely, where they are not. Geo-location software inspects and analyzes the small
bits of time required for Internet communications to move through the network. These
electronic travel times are converted into cyberspace distances. After these cyberspace
distances have been determined for a user, they are compared with cyberspace distances for
known locations. If the comparison is considered reasonable, the user's location can be
authenticated. If the distance is considered unreasonable or for some reason is not calculable,
the user will not be authenticated.
IPA verification or geo-location may prove beneficial as one factor in a multifactor
authentication strategy. However, since geo-location software currently produces usable
12

results only for land-based or wired communications, it may not be suitable for some wireless
networks that can also access the Internet such as cellular/digital telephones.
Mutual Authentication
Mutual authentication is a process whereby customer identity is authenticated and the target
Web site is authenticated to the customer. Currently, most financial institutions do not
authenticate their Web sites to the customer before collecting sensitive information. One
reason phishing attacks are successful is that unsuspecting customers cannot determine they
are being directed to spoofed Web sites during the collection stage of an attack. The spoofed
sites are so well constructed that casual users cannot tell they are not legitimate. Financial
institutions can aid customers in differentiating legitimate sites from spoofed sites by
authenticating their Web site to the customer.
Techniques for authenticating a Web site are varied. The use of digital certificates coupled
with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared
secrets such as digital images is another. Digital certificate authentication is generally
considered one of the stronger authentication technologies, and mutual authentication provides
a defense against phishing and similar attacks.
Customer Verification Techniques
Customer verification is a related but separate process from that of authentication. Customer
verification complements the authentication process and should occur during account
origination. Verification of personal information may be achieved in three ways:
•

Positive verification to ensure that material information provided by an applicant matches
information available from trusted third party sources. More specifically, a financial
institution can verify a potential customer's identity by comparing the applicant's answers
to a series of detailed questions against information in a trusted database (e.g., a reliable
credit report) to see if the information supplied by the applicant matches information in the
database. As the questions become more specific and detailed, correct answers provide
the financial institution with an increasing level of confidence that the applicant is who
they say they are.

•

Logical verification to ensure that information provided is logically consistent (e.g., do the
telephone area code, ZIP code, and street address match).

•

Negative verification to ensure that information provided has not previously been
associated with fraudulent activity. For example, applicant information can be compared
against fraud databases to determine whether any of the information is associated with
known incidents of fraudulent behavior. In the case of commercial customers, however,
the sole reliance on online electronic database comparison techniques is not adequate since
certain documents (e.g., bylaws) needed to establish an individual's right to act on a
company's behalf are not available from databases. Institutions still must rely on
traditional forms of personal identification and document validation combined with
electronic verification tools.
13

Another authentication method consists of the financial institution relying on a third party to
verify the identity of the applicant. The third party would issue the applicant an electronic
credential, such as a digital certificate, that can be used by the applicant to prove his/her
identity. The financial institution is responsible for ensuring that the third party uses the same
level of authentication that the financial institution would use itself.

14


Federal Reserve Bank of St. Louis, One Federal Reserve Bank Plaza, St. Louis, MO 63102