Image-Based, Multifactor Authentication
FFIEC Compliance with Multi-Layered, Multifactor Authentication
On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to the Authentication in an Internet Banking Environment guidance first issued in 2005. A link to the new supplement is provided here. The updated guidance outlines the minimum authentication security controls necessary for online banking activities. It directs financial institutions to formally assess their existing authentication methods and implement more secure techniques and enhanced technologies.
The updated guidance states that financial institutions must use multifactor authentication and also employ multiple layers of authentication.
Multifactor authenticationmeans having two or more of the following types of authentication factors:
- Something the user knows (such as a password, PIN, or other type of secret knowledge)
- Something the user has (such as a mobile phone or smart card)
- Something the user is (biometric characteristics such as a fingerprint)
Multiple layers of authentication means that financial institutions should use different security and access controls at different points in the online banking session. For example,the user should first be authenticated at the initial login and then again – using a different authentication method – when they attempt a high-risk transaction such as a money transfer or if the behavior or device appears suspicious. The FFIEC authentication guidance states that financial institutions should adopt a risk-based approach that monitors for anomalies and prompts additional layers of various different types of authentication when a high-risk situation or anomaly is identified.
Image-based, multifactor authentication solutions from Confident Technologies help financial institutions meet FFIEC compliance requirements for multifactor authentication, and multiple layers of authentication.
New Threats Create the Need for a Secure Second Factor™
A Multi-Layered, Multifactor Solution for Strong Authentication
Some financial institutions have deployed a two-factor authentication approach that relies on the user’s mobile phone as the second factor (something the user has). The most common method used today is to send a one-time authentication code to the user’s mobile phone via a plain-text SMS message. The user then types the authentication code into the web page to complete the authentication. This approach is not secure, for two main reasons: (1) The process does not remain completely out-of-band from the web session. (2) Plain-text SMS is an insecure communication channel that is easily intercepted. Cybercriminals use malware to intercept text messages intended for the user and reroute them to their own phones so they can authenticate their own fraudulent transactions. This is known as a Zeus-in-the-mobile or Zitmo attack. 
In addition to a rapidly increasing amount of malware targeting mobile phone operating systems and the SMS communication channel, mobile devices are also often lost or stolen.
Confident Multifactor Authentication™ from Confident Technologies is a more secure approach to two-factor, mobile authentication. It delivers an image-based authentication challenge to the user’s mobile phone. The user must be able to correctly solve the image-based challenge (using their knowledge of their pre-chosen secret categories) on the mobile phone in order complete the authentication.
By requiring the user to apply a piece of secret knowledge on the second factor device itself, Confident Multifactor Authentication provides a multi-layered, multifactor authentication solution. It secures the second factor and verifies that it is actually the legitimate user in possession of the phone and not another person who has stolen the phone or intercepted the communication. The entire process remains completely out-of-band from the web session, making it much more secure than common approaches which send an authentication code out-of-band but then have the user type the code into the web page.
Flexible Deployment for Multiple Layers of Authentication
Confident ImageShield™ is a highly secure, image-based authentication technology that can be integrated into various points in the online banking environment to serve as an additional layer of authentication. 
When the user first registers, they select a few categories of things they can easily remember. Each time an additional layer of authentication is needed, the user is presented with the Confident ImageShield. They simply identify the pictures that match their previously chosen, secret categories. The specific pictures and letters that appear on the Confident ImageShield are different each time, creating a one-time password every time, but the user will always look for their same few categories.
Below are examples of ways Confident ImageShield can be used an additional layer of authentication:
Strengthen Login Security with One-Time Passwords
Strengthen the security of logins by adding Confident ImageShield as a second layer of authentication, in addition to the traditional username and password. Confident ImageShield adds a secure, one-time password and can make the login more than 99.99% secure, even if the user had their username or password compromised. It’s intuitive interface is extremely easy for the average user, providing strong authentication without burdening users.
Dynamic, Mutual Authentication for Anti-Phishing
Confident ImageShield delivers dynamic, mutual authentication that is ideal as an anti-phishing solution. Unlike static pictures used for anti-phishing (which is a passive approach), Confident ImageShield is dynamic and requires active engagement from the user. The user must correctly solve the Confident ImageShield before they can enter their password on the site. The result is a type of mutual authentication: The user knows they are not on a phishing site because only the legitimate website would be able to present a Confident ImageShield that includes their secret categories and at the same time, the user is authenticated to the website.
Replace Challenge Questions
Confident ImageShield can be used instead of challenge questions to provide stronger authentication and add one-time passwords during high risk transactions.
Add a Layer of Authentication During Password Resets
As a flexible, cloud-based solution, Confident ImageShield can be easily inserted as an additional layer of authentication anywhere in the online banking environment. FFIEC guidance recommends requiring an additional form of authentication when users attempt to modify administrative functions, change contact information, reset their passwords and other potentially high-risk actions. Numerous studies have shown that people remember images and categories far better than passwords, so users are able to authenticate with Confident ImageShield even after they have forgotten their passwords or if they are only presented with the image-based authentication challenge infrequently.
Easily Integrated with Existing Security Processes and Technologies
Confident ImageShield can be integrated with other security technologies and online banking platforms or mobile applications. It is also available as a white-label solution for OEM with other security providers or technologies.