Authentication and Access Guidance for the 21st Century
Last week, the FFIEC published guidance titled Authentication and Access to Financial Institution Services and Systems (the guidance). This guidance replaces previously issued statements (think back to pre-Twitter times) regarding best practices for authenticating users of internet-based financial services: Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). The FFIEC acknowledges that we live in a new technological world compared to when the last guidance was released. There are new threats and differences in approach for cybersecurity. Additionally, there are far more people using online and mobile applications, and assessing them from a range of computers, tablets, and smart devices.
In order to keep up with the changing landscape, the guidance emphasizes the importance of risk assessments, both initial assessments that are made before launching a new product or service and periodic assessments to measure the effectiveness of internal controls. The guidance gives examples of suggested risk assessment practices for credit unions offering digital services:
- Inventory of Information Systems. Take account of all information systems and their components, such as the hardware, operating systems, applications, devices, data, cloud storage systems and other assets, that require authentication and control.
- Inventory of Digital Banking Services and Customers. Take account of all digital banking services, members, and transactions that may need different levels of authentication and access controls. Consider the risks involved with serving different members (such as consumer vs business) and transactions (such as digital payment services that have shorter processing windows or push-payment capabilities).
- Identify Customers Engaged in High-Risk Transactions. Identify member transactions that pose a higher risk of loss to the credit union for which enhanced authentication controls are warranted.
- Identify Users. Identify all users, including members, employees, service accounts, and users at third parties, that have access to credit union systems and data.
- High-Risk User Identification. Identify users who pose a higher risk, such as those with access to critical systems or privileged information, including security administrators and senior management.
- Threat Identification. Identify threats that are likely to impact the credit union’s information systems, data, and member accounts (such as ransomware and phishing attacks).
- Controls Assessment. Initially and periodically measure the success and effectiveness authentication controls. This may lead the credit union to regularly implement updated standards in accordance with its policies and risk appetite.
When it comes to keeping systems secured after a thorough and effective risk assessment, the FFIEC guidance suggests implementation of layered security that includes multi-factor authentication. Layering security can help to provide more support in case of a threat to the system and may include “user time-out, system hardening, network segmentation, monitoring processes, and transaction amount limits.” Reliance on a single control can leave a credit union exposed to threats, but layering controls can protect both members and the credit union. Including multi-factor authentication (MFA) within a layered security system provides even more protection against unauthorized access of sensitive information. According to the guidance, “MFA factors may include memorized secrets, look-up secrets, out-of-band devices, one-time password devices, biometrics identifiers, or cryptographic keys. The attributes, including usability, convenience, and strength, of various authentication factors can differ and each may exhibit different vulnerabilities which may be exploited.” This means that it’s not enough to randomly choose two elements of MFA, but the options should be considered with the credit union’s risk assessment so the credit union can choose the MFA options best suited to its operations.
The guidance includes some considerations for evaluating options for multi-factor authentication, including varying MFA options depending on different risks presented by services and customer segments, such different options for business or consumer customers. Additionally, for riskier transactions, strong authentication, such as MFA solutions using hardware and cryptographic factors, can decrease the risk of unauthorized access. Credit unions might also consider that for remote users, remote access software can be protected with MFA user credentials in order to improve the security of the means of access.
Further, the guidance describes how credit unions can reduce the risk of loss by creating and implementing a user and member awareness program in order to educate users of digital services about security considerations. Elements of an effective awareness program may include an explanation of how members can determine the legitimacy of communication from the credit union, an explanation on how to use MFA and other controls offered by the credit union, instructions on how to monitor account activity, and instructions on the appropriate way to contact the credit union with concerns. Training and testing may also be implemented for employees, volunteers, and those expected to have regular access to credit union information systems.
The guidance goes on to discuss email systems, IT help desk authentication, and consumer identity verification. Ultimately, credit unions offering digital services may need to take a look at existing policies, procedures, and risk assessments to determine if these should be revisited and updated. The Appendix to the guidance contains a long list of examples of practices or controls related to access management, authentication, and supporting controls that a credit union may want to consider.
-----------------------------------------------------------------------------------------
EXTRA EXTRA - NCUA webinar on modernized examination tools
NCUA announced it will host a webinar on the agency’s modernized examination tools on Wednesday, September 8, beginning at 2 p.m. Eastern. Registration for this hour-long webinar is available here.