FFIEC two-factor guidelines

[Steve Brukbacher <sab2 () UWM EDU>]

Last week, discussions surrounding PKI implementations brought up a
point about a mandate for banks to implement two factor authentication.

An excellent article about this very topic appears in the current issue
of CSO magazine.
Here's a link to the story
http://www.csoonline.com/read/020106/second_thoughts.html

While it's not a "law" per-se, the FFIEC (Federal Financial Institutions
Examination Council) makes sure agencies such as the FDIC and Federal
Reserve aren't going their own way on things.

I'm not seeing here where this applies directly to most higher ed unless
you are actually running a bank or are otherwise FDIC regulated. We're
still researching this to be 100% sure.

The article argues that this guidance doesn't "explicitly mandate
two-factor authentication"  Other options are mentioned, such as
"...layered security or other controls reasonable calculated to mitigate
those risks"  Layered security is defined here as multiple pieces of
"something you know", such as account, PIN and mothers maiden name.

(In the article, note the quotes from the UW Credit Union.  I believe
this is actually a separate entity from the University)

--
Steve Brukbacher
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224