Yesterday’s release of a long anticipated updateto the FFIEC’s Authentication in an Internet Banking Environmentguidance document breaks little new ground. It emphasizescommercial banking account protections in particular and a moregeneral shift toward “layered” controls instead of a focus onmulti-factor authentication. Financial institutions are encouragedto employ layers of defense based on risk, sensible advice alreadypracticed by FIs and e-commerce participants.
Remarkably, the document makes no mention of the mobile channel inparticular. While generally applicable guidelines are broadlyuseful and an admirable goal, the mobile channel and smartphoneplatforms offer advantages and risks that could have beenexplicitly addressed to everyone’s advantage.
It is unfortunate that the FFIEC has not taken a more proactiveapproach to managing banking security and risk. Today’s guidelinesare useful for today, but as the threat environment evolves we willneed more substantive protections. This document does little tosteer us toward building the more robust defenses we already knowthe future will demand.