US financial regulators cite biometrics in urging stricter customer authentication
U.S. financial institutions are being encouraged to improve their security provisions through methods ranging from password controls to biometrics with a new set of guidelines on customer authentication.
To address the fast-changing technological landscape within finance (and potentially faster-moving security threats), the Federal Financial Institutions Examination Council (FFIEC), made up of five banking regulatory bodies, has published Authentication and Access to Financial Institution Services and Systems. This replaces Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011).
The guidelines provide examples of effective authentication procedures and risk management principles for access. The guidance is for financial institutions’ handling of customers, third parties and their own employees as well as digital banking services.
The document outlines the threats as online and mobile access to financial services and banking increases. It cautions against the weaknesses of single-factor authentication and explains how multi-factor authentication (MFA), including biometrics, can prove more secure. An appendix on authentication solutions lists one-time passwords, behavioral biometrics, and device-based verification, which may also be triggered with biometrics.
Banks should tighten their onboarding procedures and call center processes as bad actors have been able to manipulate call handlers into resetting account passwords. Voice biometrics are listed as an example of strengthened call center security.