The Federal Financial Institutions Examination Council (FFIEC) required all financial institutions to support multi-factor authentication (MFA) for accessing Internet-facing applications that hold personal data by Dec. 31, 2006. As refers herein and understood in the art, MFA refers to the requirement for accessing an information technology (IT) system, application, or service with at least two different methods or factors of authentication. As also referred herein and understood in the art, IT encompasses all forms of technology, including but not limited to the design, development, installation, and implementation of hardware and software information or computing systems and software applications, used to create, store, exchange and utilize information in its various forms including but not limited to business data, conversations, still images, motion pictures and multimedia presentations technology and with the design, development, installation, and implementation of information systems and applications.
Accordingly, MFA delivers a higher level of authentication assurance as opposed to single-factor authentication, wherein an individual needs only one type of authentication to show access authorization to an IT system, application, or service. To adhere to the FFIEC-mandated MFA, financial institutions have implemented multiple authentication mechanisms such as passwords or personal identification numbers (PINs), biometric identifications, and the ubiquitous security tokens. As referred herein and understood in the art, a security token may be a hardware or software security token. A hardware security token includes credentials, such as one-time passwords (OTPs) stored in a dedicated physical device to aid an individual with user authentication to access an IT system, application, or service. Examples of hardware security tokens with OTPs include but are not limited to Safeword™ tokens by Secure Computing Corporation™, SecurID™ tokens by RSA™, and Digipass™ tokens by VASCO™. Unlike a hardware security token, a software security token include credentials that may be stored on a general-purpose device, such as a computer, mobile phone, or personal digital assistant (PDA), to aid the individual with user authentication to access an IT system, application, or service. The same credentials that are stored in a hardware security token may be software implemented as a software token stored in a general-purpose device.
As referred herein, an enterprise may be a company, a corporation, or any other organization or business entity. Large business enterprises, such as large financial institutions, with multiple business units or divisions therein typically implement different types of security tokens for different business units, based on the preferences of the later. For example, while a foreign exchange (FX) business unit of a financial institution may offer RSA SecurID™ tokens to individuals authorized to access the FX systems and applications via the Internet, a commodity exchange business unit of the same financial institution may offer VASCO Digipass™ tokens to individuals authorized to access its commodity exchange systems and applications via the Internet. The authorized individuals may be employees or customers of the enterprise or one of its business units or any other users authorized to access the enterprise's system or business applications therein. As referred herein, a business application is an application that is hosted by a business unit, and such application may be a financial application, an IT application, an engineering application, or any other application as desired to be hosted by the business unit, depending on the type of business unit or the type of the enterprise to which the business unit belongs.