According to an original article by Jaikumar Vijayan on Computerworld,
most banks appear to be unprepared to meet the Dec. 31 deadline for
complying with the federal security guidelines. Many of the banks are
complaining that the guidelines are not mandatory and they don’t
specify what form of strong authentication methods should be
A recent Alarmed column by CSO’s Sarah Scalet
also bemoans the fact that banks are falling short of these guidelines
and that many banks are proudly marketing authentication that falls far
short of any reliable form of online security.
Berlind’s fellow ZDNet blogger, George Ou, goes so far as to write that banks are cheating their way toward the guidelines, which list three main factors of security that need to be present.However, Computerworld points out that many banks
are trying to get around the guidelines by adding one or two additional
factors to the most common form of online banking authentication (what
the user knows: user ID and password), by piling those items into the
Ou also points out that no security
expert would ever count multiple instances of “something the user
knows” as multifactor authentication.