New FFIEC Standards Recommend Passwordless MFA

What the New FFIEC Standards Mean for Financial Institutions

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC) issued guidance on effective authentication and access risk management practices for the various parties that access financial institution services and systems. The updated FFIEC standards and guidelines reflect the realities of today’s threat landscape and attack modes as well as the shifts in remote access by financial institutions’ customers, workforce and partners.

What is the FFIEC?

The FFIEC is a U.S. government, interagency regulatory body responsible for setting consistent and uniform standards for examinations of financial institutions, holding companies and related subsidiaries. The participating agencies, including the Governors of the Federal Reserve System (FRB), the FDIC, and the Consumer Financial Protection Bureau (CFPB), among others, develop uniform principles, standards, and reporting forms and systems that help financial institutions assess their risk, safeguard customer information, prevent money laundering and terrorist financing, and reduce overall fraud and identity theft.

The recent FFIEC standards on authentication are long overdue, replacing the 2005 issued “Authentication in an Internet Banking Environment” and its 2011 supplement.

FFIEC Authentication Guidance and the Expanding Attack Surface

The new FFIEC standards recognize that password-based authentication approaches no longer suffice. Credentials and passwords stolen in data breaches abound on the black market and hacking forums, making it easy for even the more inexperienced cybercriminals to launch credential stuffing and other attacks on authentication processes. Unsurprisingly, compromised credentials form the number one initial vector of attack.

Moreover, the attackable surface of financial institutions’ systems continues to expand. New technologies and digital services bring more entry points for attack, especially with employees and customers accessing information systems through devices and applications outside of an organization’s security controls. The updated FFIEC standards emphasize multi-factor authentication (MFA) as a critical control within a layered authentication framework to secure against financial loss and data compromise caused by various threats.

The guidelines single out the increasing connectivity of financial institutions to third party service providers as another area of enormous risk. The recent supply chain attack on IT Provider Kaseya is a case in point. This means that MFA needs to be implemented everywhere, not just the front gate.

Taking a Risk-Based Approach

The FFIEC authentication guidance recommends a risk-based approach tailored to the use case and security relevance of the application or action the user takes, emphasizing that single factor authentication, even with other layers of security, “has been shown to be inadequate for customers engaged in high-risk transactions and for high-risk users.”

Section 3 of the FFIEC standards provides best practices for conducting  a risk assessment to determine the information system components that require authentication and access controls, the risks and current threats, and gaps in controls.

Why New FFIEC Standards Were Needed

Those familiar with the older FFIEC standards will notice that the general message remains unchanged: FFIEC experts support a layered security and a risk-based approach. The previous guidance, however, recommended adaptive authentication using browser fingerprints to mitigate risk. Today’s privacy concerns on the browser have made that approach ineffective.

The previous publication also did not specifically call for MFA as part of layered security, although it did mention dual customer authentication as a possible control. The MFA recommendation in the latest FFIEC standards falls in line with the mandate in the EU’s Second Payment Services Directive (PSD2) for Strong Customer Authentication. However, while PSD2 regulations contain detailed guidelines for how MFA should be implemented, including the use of “separated software execution environments,” the FFIEC is more vague.

More detail can be found if you dig into the footnotes of the latest FFIEC standards, which cite NIST standards SP 1800-17 and SP 800-63B as reference sources for implementers. The NIST standards offer detailed instructions for implementing passwordless MFA in accordance with the Fast IDentity Online (FIDO) Universal Second Factor (U2F) authentication specification.

The latest guidance also addresses the importance of device and endpoint authentication. It’s critical to make sure that only authorized devices can connect to financial institutions and that access to those devices was performed with MFA.

MFA Limitations

The FFIEC inserts some important caveats in its MFA recommendation. Some common MFA factors, such as one-time security codes, are susceptible to Man in the Middle (MIM or MitM) attacks. Other problems arise when it comes to account recovery for credentials-based MFA systems. Malicious actors gain access to systems or accounts by using social engineering to  trick workers at IT help desk and customer call centers into resetting passwords or other credentials to “recover accounts.”

In cases where value and risk are high, the guidance recommends cryptographic MFA solutions, removing the credential factor altogether. In particular, authentication solutions that use device-based PKI offer the strongest level of assurance. FIDO-based authentication with the proper levels of attestation enables this level of security with a standards-based approach.

Consequences of Violating the FFIEC Authentication Guidance

While the FFIEC itself only audits and reports compliance violations, the regulatory board that governs a financial institution can impose fees and other penalties. These range from cease and desist orders, to fines and compensatory payments, to cancellation of insurance coverage.

Financial institutions may also face lawsuits from customers that fall victim to cybercrimes if FFIEC violations contributed to their loss. Take the example of PATCO, a construction firm that sued its bank after losing more than half a million dollars to Account Takeover (ATO) fraud. Claiming that the bank did not comply with FFIEC MFA requirements, PATCO lost its initial case, but won in the Federal appeals court.

HYPR Has You Covered

HYPR’s True Passwordless™ MFA turns an ordinary smartphone into a FIDO token, providing the highest level assurance for protecting customer identities and a frictionless login experience so that your users won’t even know that they are using MFA. HYPR’s FIDO® Certified architecture aligns with the strongest authentication in the FFIEC guidance, preventing MitM and other credential-based attacks.

Leading companies such as Rakuten and Aetna/CVS Health use HYPR True Passwordless™ technology to secure their customer authentication process and make the consumer experience faster, more seamless, and more convenient.

Talk to our experts to discover how easy it is to deploy HYPR to meet FFIEC standards and requirements.