FSTC has now completed the first Phase of its Better Mutual Authentication (BMA) program. The BMA Phase 1 Project established core financial industry requirements and put forward a series of recommendations aimed at improving authentication practices for online retail financial services. A key finding was that effective authentication practices rely on combinations of techniques. While specific techniques, such as shared secrets, two-factor authentication, knowledge-based queries or dynamic risk analysis are important, multiple such techniques need to be combined in order to achieve adequate trust and confidence without unduly burdening consumers. A premise developed during Phase 1 is that multiple techniques are necessary, but with sufficient interoperability to allow customers to use a specific technique with multiple financial service providers.
In order to support further evaluation of solutions employing multiple authentication techniques, BMA Phase 1 also developed a comprehensive taxonomy of techniques available to financial institutions and consumers. This taxonomy can be used as a tool to develop requirements, evaluate solution options, or explore new product or service features.
BMA Phase 1 went on to break new ground by developing an architectural framework for authentication solutions based on multiple techniques used in combination, whether as parallel methods or as alternatives that can be employed in different circumstances or to meet specific application requirements. For example, an account opening application will generally require different authentication techniques than what might be appropriate for casual review of online statements. Similarly, use of two-factor authentication devices for account access will need to be complemented by alternative techniques that can be employed when a legitimate customer’s second factor device is not available, whether because it has been lost, does not work, or was left “at the office.”
Twenty-eight financial institutions, industry associations, government agencies, and technology vendors participated in the FSTC BMA Phase 1 Project representing tremendous depth and breadth of domain expertise. This collective expertise resulted in new insights and breakthrough developments in understanding of the problem and solution approaches. At the same time, the participants recognized and leveraged the important work being conducted in other industry fora on the problems of authentication in a 21st century context. While much progress is being made, there is much yet to be done, and so the BMA participants hope to encourage and support other efforts by sharing key deliverables from FSTC’s work. Already, FSTC has worked with the Securities Industry Association (SIA), ANS X9, W3C, OATH, and Liberty Alliance on the challenges associated with authentication, and seeks to promote further collaboration in this space.
FSTC is making available the following BMA documents for download and review by all interested parties:
In addition, FSTC will provide the following documents to individuals who complete this contact form.
FSTC is also preparing plans for BMA Phase 2 efforts, and encourages interested parties to learn more about these plans by sending a request for more information to BMA-info@FSTC.org or by calling Dan Schutzer at (917) 338 6480, or Carlotta Deprez at (859) 647-0263.
There will be two BMA Phase 2 organizing calls:
June 21 at 2pm Eastern
June 28 at 2pm Eastern.
The call-in number for both calls is +1 512 225 3050, code 803903#.
All interested parties are invited to participate in either or both calls.
FSTC’s Better Mutual Authentication initiatives represent collaborative efforts by financial institutions, industry associations, and technology vendors to expand use of the online channel for retail financial services. Consumer confidence in the online channel and trust in conducting financial transactions requires that both the consumer and the financial service provider know whom they are communicating with—hence the focus on “mutual authentication.” At the same time, “better” techniques are needed for confirming the authenticity of both sides of an online financial transaction that will optimize safety, convenience, credibility, and resilience.