Sestus Data Company and BearingPoint Financial Services Information Security Group revealed a study last month that states 96% of U.S. banks are failing to implement FFIEC-recommended multi-factor authentication, opting instead for authentication methods that solicit confidential information from consumers.The study anlyzed a statistical sampling of 100 U.S. banks with published website statements asserting their belief in their compliance with FFIEC multi-factor authentication guidelines. The study analyzed the authentication methods employed by each bank to determine whether the sampled banks were, in fact, consistently employing "solutions from two or more of the three categories of factors", i.e. something the user knows, something the user has, or something the user is.

    The U.S. banking industry appears to be ignoring or misinterpreting the FFIEC's multi-factor guidelines in favor of single-factor authentication methods that require consumers to divulge (previously undisclosed) confidential personal information in order to access their online accounts, according to the study. On August 15, 2006, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement in which it clarified what it tought to be true multi-factor authentication: "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication."

    The study authors found, "1) overwhelming use of single-factor challenge/response, image-based, and other knowledge based authentication methods purporting to be multi-factor authentication, 2) numerous and varied mis-interpretations regarding the definition of "something the user has", and 3) a high probability for increasing online fraud and loss of consumer privacy as a result of widespread adoption of challenge/response and other knowledge-based systems."

    26% of U.S. banks are adopting authentication methods which are "inconsistently multi-factor". These banks attempt to retrieve cookie file or other information in order to satisfy the "something the user has" authentication factor, however, when this information cannot be retrieved, these banks fall back on soliciting more of "something the user knows" in the form of challenge questions.

    64% of U.S. banks offer only single-factor authentication methods. Where they had previously solicited only logins and passwords, they now solicit additional information in the form of challenge questions. Apparently, these banks believe that by simply asking for MORE information, they are somehow meeting the regulatory definition of multi-factor authentication, a mistaken assumption which the FFIEC has already refuted.

    6% of U.S. banks do offer consistently multi-factor authentication methods as an option, but then permit their members to opt-out of using such methods. If the member chooses to opt-out, the bank employs only single-factor methods. Only 4% of the sampled banks employed consistently multi-factor authentication methods.

The study can be downloaded here: http://www.phishcops.com/librarian.asp?doc=Trends_in_MFA_NonCompliance.pdf