How to Handle Identity in a Heavily Regulated Industry
While FFIEC’s mandate for MFA was made a year in advance of the December 2006 deadline, the industry lacked affordable, easy-to-use solutions. By mid-2006, financial institutions were still struggling with finding the best solution. With little time to implement and even fewer budgets, I chose the easiest and quickest path and deployed the “free” solution provided by our core systems provider. As a result, we found ourselves facing a string of member-service issues.
Hopefully, the following we learned the hard way will serve as a guide for other organizations grappling with this problem.
Don’t cut corners in a rush to achieve compliance. As a not-for-profit credit union, we couldn’t just throw money at the compliance problem. Several of the mega-banks had developed proprietary solutions. The most common solution available on the market was traditional hardware-based one-time-password (OTP) tokens. These physical tokens were too expensive and impractical for widespread use among our globally dispersed membership base.
We needed an OTP token alternative, preferably an affordable software solution. Our core solution provider had one, and only one, in its product portfolio, and we trusted their recommendation. Unfortunately, this solution didn’t perform as advertised.
Most MFA solutions require users to go through a somewhat lengthy enrollment process, with challenge questions and out-of-band authentication, in order to establish that users are who they say they are. After the initial time-consuming login, the user should be shielded from a long logon process.
With our solution, unfortunately, the enrollment process never ended. Devices weren’t authenticated properly and our users had to endure lengthy enrollment-style logons over and over – often during the same session if they had been timed out. As a result, members deluged our call center with complaints, and many left. The lesson here is to test your MFA solution extensively before rolling it out to your end users.
Find a unified authentication solution. Finally, we decided we had to change our MFA solution or risk losing more members. We issued a formal Request for Proposal to several well-known vendors.
We were in the process of installing a separate authentication and identity enforcement system for our employees, one that would give them secure remote access to internal applications via VPNs. The solution provider, MultiFactor Corporation, learned of our online banking troubles and informed us that their system, SecureAuth, could as easily handle member-facing applications as internal ones.
This was a surprise. Most vendors separate internal and external authentication and require that you purchase different systems for each.
Having a unified authentication solution is both a money- and time-saver. Now, we have one point of contact. The system is standardized, which makes support simpler for my small staff. Moreover, our solution was designed as a Web service, so it will be able to meet our needs as we evolve.
Keep it simple. Because user identities tend to be the weakest link in corporate security, many solutions employ elaborate schemes to protect those identities. Some require user names to have numbers and special characters. OTP tokens rotate passwords frequently and force users to carry around a physical device in order to keep up.
With solutions like SecureAuth, users need only remember what they always have, their default user names and passwords. They must go through some steps up front to ensure they are who they are, but from then on, the software handles all of the heavy lifting of authentication transparently.
If anything seems out of the ordinary, such as a logon from a public terminal or an unknown device, users will be asked for further identity factors. Depending on your organization’s preference, these could be answers to challenge questions, one-time PINs delivered by email or even interactive telephone calls.
Keep identities in house. To achieve compliance, access to personal information must be strictly controlled. With many solutions, this is a problem, since user identities, roles and privileges are handled by third-party service providers. Many of these service providers then outsource much of what they do to still other service providers.
A better solution is to leverage existing in-house data stores, such as LDAP or Active Directory. We did this, and as a result, identities stay in house, are controlled 100 percent by our staff, and are easily audited.
We have learned that MFA is not a project; it is a process that continues to develop as our technology and our membership changes. Also, while security is critical, the end user experience is just as important.
Five Common Authentication MythsMyth: Multi-factor authentication requires that we buy hardware-based tokens for our users.
Reality: Browser-based credentials are every bit as secure as hardware-based tokens, and they don’t burden security with help desk calls when they expire or are lost or stolen.
Myth: MFA is too expensive for my business.
Reality: When you factor in support and maintenance, all-software MFA solutions are often as affordable as user names and passwords alone.
Myth: MFA is too complicated for my already overworked staff.
Reality: New authentication solutions automate everything from enrollment to out-of-band authentication to expiring credentials.
Myth: I need different MFA systems for my employees, partners and customers.
Reality: Next-generation MFA solutions unify authentication, giving you a single system for VPN access for employees, Web access for customers and time-sensitive access for partners or contractors.
Myth: Deploying MFA will be a long, excruciating process.
Reality: Most businesses can evaluate, test and deploy software MFA in a month or two.