Last updated on October 11, 2024
In today’s increasingly digital landscape, the security of financial institutions has never been more critical. The Federal Financial Institutions Examination Council (FFIEC) has established comprehensive guidelines to ensure the protection of sensitive financial data and systems. Among the key recommendations is the implementation of Multi-Factor Authentication (MFA) to bolster security measures against evolving cyber threats.
What is the FFIEC?
The FFIEC is a governmental body that provides uniform principles, standards, and report forms for the federal examination of financial institutions. Its members include representatives from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The council’s guidance is a benchmark for maintaining robust security protocols within financial institutions.
The Importance of MFA in Financial Institutions
Multi-Factor Authentication (MFA) is a security measure that requires more than one authentication factor to verify a user’s identity for a login or other transaction. This typically includes a combination of two or more of the following:
- Something You Know: Password or PIN.
- Something You Have: Smart card, mobile device, or FIDO security key.
- Something You Are: Biometric verification, such as fingerprints or facial recognition.
How Can MFA Help Financial Institutions Stay Safe?
Enabling Multi-Factor Authentication and applying the principle of least privilege for user access can significantly enhance security. This approach can effectively safeguard against financial losses and data breaches caused by diverse threats. It also aids in reducing the risk of unauthorized access, which could lead to system configuration changes, data exfiltration, or lateral movement within a network or system by threat actors.
FFIEC’s Guidance and MFA
The FFIEC’s guidance on Authentication and Access to Financial Institution Services and Systems underscores the necessity for financial institutions to implement MFA as part of their cybersecurity strategies. This recommendation comes in response to the significant risks associated with cyber threats, particularly those targeting single-factor authentication systems.
Key Points from FFIEC Guidance:
- Risk Assessment:
- Financial institutions should conduct regular risk assessments to identify and mitigate authentication risks.
- All users and customers who require authentication and access controls must be identified, including those that require security measures like Multi-Factor Authentication (MFA).
- The assessment should cover all information systems, digital banking services, and users, including customers, employees, and third parties.
- Layered Security:
- A layered security approach should be adopted, incorporating multiple preventive, detective, and corrective controls.
- MFA should be implemented as part of this layered security, especially where single-factor authentication is deemed inadequate.
- Monitoring and Logging:
- Institutions should establish robust monitoring, logging, and reporting processes to detect and respond to unauthorized access attempts.
- Education and Awareness:
- Continuous user and customer education programs should be in place to raise awareness about authentication risks and best practices.
Enhance Your Digital Security with the Rublon Newsletter
Dive into a world of timely cybersecurity updates and professional guidance, all conveniently dispatched to your inbox. Click below to join our community and arm yourself with essential tools for a secure online experience.
Implementing MFA: Best Practices for FFIEC Compliance
To effectively comply with FFIEC’s Multi-Factor Authentication (MFA) requirements, financial institutions can adopt the following best practices:
1. Comprehensive Risk Assessment
Perform regular and thorough risk assessments to understand the potential threats to your systems and data. Identify high-risk transactions and users that warrant enhanced authentication controls and secure them with Multi-Factor Authentication (MFA).
2. Phishing-Resistant MFA
Implement phishing-resistant MFA for access to critical resources using FIDO security keys. Phishing resistance is a vital requirement for an MFA system that protects private information and shields monetary transactions. Enabling Phishing-Resistant MFA allows for maximum protection against cyber threats that pose a significant risk to financial services.
3. Out-of-Band MFA
In situations where the use of phishing-resistant security keys is structurally or financially infeasible, use Out-of-Band Authentication. Multi-Factor Authentication should use a secure authentication channel for the second authentication factor. This can be realized in the form of Mobile Push notifications sent to the employee’s phone with the Rublon Authenticator mobile app. This approach is compliant with the definition of Out-of-Band Devices in section 5.1.3 of the NIST SP 800-63B Digital Identity Guidelines on Authentication and Lifecycle Management.
4. Biometric Lock
Encourage the use of a biometric data lock in the MFA authentication app like Rublon Authenticator that is installed on the user’s device. Such authenticator apps that support biometric locks can help upgrade Two-Factor Authentication into Three-Factor Authentication, effectively improving the overall security of the authentication process.
5. Robust Access Policies
Use security policies applied on a per-application and per-group basis to gain full control over your applications, users, and user groups. Access policies can help you administer your organization on a granular level by conforming to the architecture of Policy-Based Access Control (PBAC).
6. Layered Security Approach
Incorporate multiple layers of security to protect against unauthorized access. This includes using MFA in conjunction with other security measures like encryption, user time-outs, and network segmentation.
7. Organization-Wide Multi-Factor Authentication
Wherever and whenever possible, enable MFA on all applications, endpoints, servers, and VPNs. All users should be protected, including remote users who access the company’s network via remote access software, as well as partners and contractors who require limited access. Always have other cybersecurity regulations like PCI DSS, SOX, NY-DFS 23 NYCRR Part 500, GLBA, NAIC, DORA, and the FTC Safeguards Rule in mind. This is why financial institutions should implement MFA in a wide and all-embracing context in a way that can make them compliant with both current and future cybersecurity requirements.
8. Continuous Monitoring and Incident Response
Implement continuous monitoring and logging of user activities to quickly identify and respond to suspicious behavior. Maintain detailed authentication and audit logs to reconstruct events and promote accountability.
9. Regular Updates and Patches
Ensure all software and hardware are regularly updated and patched to protect against known vulnerabilities. This includes email systems, internet browsers, and remote access software.
10. User Training and Education
Provide ongoing training for employees and customers about the importance of Multi-Factor Authentication and how to recognize and avoid phishing and other social engineering attacks.
How Rublon MFA Complies With FFIEC Requirements
| Title | Requirement | Rublon MFA |
| II.C.5 Inventory and Classification of Assets | “After inventorying the assets, management should classify the information according to the appropriate level of protection needed. For example, systems containing sensitive customer information may require access controls based on job responsibilities.” | Enforces access policies based on user groups or application type, ensuring sensitive information is only accessible by authorized personnel. |
| II.C.7 User Security Controls | “Users should be granted access to systems, applications, and databases based on their job responsibilities.” | Allows creating user groups corresponding to job responsibilities, allowing the customization of access to systems, applications, and databases based on the user’s role and responsibilities within the organization. |
| II.C.7(a) Security Screening in Hiring Practices | “ In addition to initial screening, management should remain alert to changes in personal circumstances of employees and contractors that could increase incentives for system misuse or fraud.” | Allows setting the user enrollment type to Manual, which requires administrators to accept every user before they can be registered in the centralized Admin Console. |
| II.C.7(c) Segregation of Duties | “Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.” | Gives Owners the power to add, edit, and remove administrators, as well as change the administrator role to adjust their privilege level. Includes Audit Logs that list all administrator activities. |
| II.C.9 Network Controls | “Management should secure access to computer networks through multiple layers of access controls by doing the following:[…] Implementing appropriate controls over wired and wireless networks.” | Secures remote access by integrating MFA with VPNs, Microsoft Remote Desktop Services (RDS), Linux SSH, and other remote access software, ensuring only authenticated users can access the network remotely. |
| II.C.14 Supply Chain | “During the risk identification process, management should identify factors that may increase risk from supply chain attacks and respond with appropriate risk mitigations.“ | Increases the security of access and digital interactions within the supply chain by enforcing phishing-resistant multi-factor authentication (MFA). |
| II.C.15(a) Operating System Access | “System and security administrators should restrict and monitor privileged access to operating systems and system utilities.” “Prohibit remote access to operating system and system utilities, where feasible, and, at a minimum, require strong authentication and encrypted sessions before allowing such remote access.” | Secures local and remote access to operating systems (Windows logins, RDP connections, and UAC Elevation on Windows and SSH on Linux) with sophisticated “strong authentication” in the form of MFA, including access policies that allow disabling or restricting access for given applications or user groups and achieving temporary, minimum-level access using Bypass Codes if necessary. |
| II.C.15(b) Application Access | “Management should implement effective application access controls by doing the following: Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Easing the administrative burden of managing application access rights by using group profiles. Managing access rights individually can lead to inconsistent or inappropriate access levels.” | Allows securing cloud and on-premises applications with phishing-resistant multi-factor authentication. Gives administrators the capabilities to enforce access policies based on applications or user groups for easier management. |
| II.C.15(c) Remote Access | “Management should develop policies to ensure that remote access by employees, whether using institution or personally owned devices, is provided in a safe and sound manner. Such policies and procedures should define how the institution provides remote access and the controls necessary to offer remote access securely.” | Enables MFA for VPNs using the RADIUS, LDAP, or SAML protocol. Enables MFA for remote desktop software, such as Remote Desktop Protocol (RDP), Remote Desktop Gateway (RDG), Remote Desktop Web Access, and Remote Desktop Web Client, among others. Enables MFA, thus allowing the use of robust authentication methods (including phishing-resistant FIDO U2F & FIDO2 security keys and FIDO2 passkeys) for access to secure communications. Allows disabling or restricting remote access if not needed at a time or to a given resource. |
| II.C.15(d) Use of Remote Devices | “Log remote access communications (including date, time, user, user location, duration, and activity), analyze logs in a timely manner, and follow up on anomalies.” “Implement robust authentication methods for remote access.” | Saves all remote access information in the Authentication Logs in the centralized Admin Console. Also saves access information in a log file located on every endpoint. Allows using multiple robust authentication methods for remote access. |
| II.C.16 Customer Remote Access to Financial Services | “Management should do the following: Develop and maintain policies and procedures to securely offer and strengthen the resilience of remote financial services, if the institution offers such services.” | Enables sophisticated phishing-resistant MFA and access controls like access policies, short-lived authentication sessions, out-of-band authentication, mobile-based authentication with appropriate enrollment and unenrollment capabilities, etc. |
| II.C.17 Application Security | “Applications should provide the ability for management to do the following: Implement a prudent set of security controls (e.g., password and audit policies), audit trails of security and access changes, and user activity logs for all applications. Establish user and group profiles for applications if not part of a centralized identity access management system.” | Secures core banking applications, web applications, installable applications like mobile apps, and much more with robust MFA. Can protect both custom applications developed in-house (using SDKs) and those acquired from third parties (using authentication protocols or dedicated plug-ins), as long as the organization has control over them. Includes Authentication Logs and Audit Logs that list user logins and administrator activities, respectively. Allows creating application-based and user group-based access policies. |
| II.C.18 Database Security | “For application accounts, management should strengthen authentication and monitoring requirements to minimize the potential for unauthorized use.” | Can integrate with databases via RADIUS, LDAP, or SAML to enforce robust multi-factor authentication that minimizes the potential for unauthorized access and use. |
| II.C.22 Log Management | “Institutions maintain event logs to understand an incident or cyber event after it occurs. Monitoring event logs for anomalies and relating that information with other sources of information broadens the institution’s ability to understand trends, react to threats, and improve reports to management and the board.” | Includes Authentication Logs and Audit Logs that list user logins and administrator activities, respectively. Allows changing the administrator’s role to decide which kind of logs they can view. Allows log export to a CSV file and SIEM systems. |
Embark on Your Free 30-Day Multi-Factor Authentication (MFA) Journey
There’s no time like the present to fortify your digital universe! Kickstart your 30-day trial of Rublon MFA today and help yourself achieve FFIEC compliance today. Rublon is straightforward to configure, effortless to use, and compliant with other regulatory requirements for financial institutions like PCI DSS, DORA, NYDFS, and more.
Bear in mind, in the digital realm, security isn’t a privilege, it’s an imperative. So, why delay? Launch your free trial today and stride towards a more secure tomorrow with Rublon MFA.
Conclusion
The FFIEC’s guidance on Multi-Factor Authentication is a crucial step towards fortifying the security of financial institutions in an era of sophisticated cyber threats. Financial institutions can significantly reduce the risk of unauthorized access and data breaches by implementing MFA and adhering to the council’s comprehensive recommendations.
Adopting MFA is not just about compliance; it’s about safeguarding the integrity and trust that are foundational to financial services. As cyber threats continue to evolve, so too must the security measures that protect against them. Through diligent risk assessment, layered security, continuous monitoring, user education, and implementation of Multi-Factor Authentication (MFA) for all users and applications, financial institutions can create a robust defense against the ever-present dangers of the digital age.
By following these guidelines and continuously improving security measures, financial institutions can ensure they are not only compliant with FFIEC standards but also well-protected against the myriad of threats that target the financial sector today.
