Educause Security Discussion mailing list archives
FFIEC two-factor guidelines
From: Steve Brukbacher <sab2 () UWM EDU>
Date: Mon, 20 Feb 2006 16:11:41 -0600
Last week, discussions surrounding PKI implementations brought up a point about a mandate for banks to implement two factor authentication. An excellent article about this very topic appears in the current issue of CSO magazine. Here's a link to the story http://www.csoonline.com/read/020106/second_thoughts.html While it's not a "law" per-se, the FFIEC (Federal Financial Institutions Examination Council) makes sure agencies such as the FDIC and Federal Reserve aren't going their own way on things. I'm not seeing here where this applies directly to most higher ed unless you are actually running a bank or are otherwise FDIC regulated. We're still researching this to be 100% sure. The article argues that this guidance doesn't "explicitly mandate two-factor authentication" Other options are mentioned, such as "...layered security or other controls reasonable calculated to mitigate those risks" Layered security is defined here as multiple pieces of "something you know", such as account, PIN and mothers maiden name. (In the article, note the quotes from the UW Credit Union. I believe this is actually a separate entity from the University) -- Steve Brukbacher University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224
Current thread:
- FFIEC two-factor guidelines Steve Brukbacher (Feb 20)