How Authentication in Internet Banking Works


Once considered unique to each individual, artificial intelligence has shown the human voice to be convincingly cloneable. In banking, this means that voice-based biometric passwords are no longer the fail-proof layer of unhackable authentication bank users hoped they would be. These new frontiers in Internet banking challenges make up the Wild West of the authentication industry. 

Luckily, the Federal Financial Institution Examination Council (FFIEC) acts as a kind of sheriff, providing guidance for industry best practices. The FFIEC addresses some of the most long-standing security threats known when it comes to verifying the identity of a new or established user. The latest guidance on “Authentication and Access to Financial Institution Services and Systems”  arrived in 2021, supplanting previous advice. In this document, the council “describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the online products and services.” 

What is FFIEC’s authentication in an Internet banking environment?

You expect to present identification when you open a bank account. To use a bank account online, you must log in to a website or bank application. Each login attempt includes an authentication or process of proving your previously verified identity. But it’s not just consumers with a bank account who should be authenticated. Consumer-permitted third parties (such as budgeting software that accesses bank data) and employees should also be authenticated to increase the safety of bank and user data and funds. 

More than just a login issue, FFIEC authentication in an Internet banking environment refers also to proper management of emails used in banking, IT help desks, and call centers used by consumers. 

Recommendations for financial institutions include threat identification through detailed risk assessments to analyze the threat landscape, among other areas of guidance. 

Why Authentication in Internet Banking Matters

Think back to the Equifax data leak of 2017. The leak exposed personal information like names, dates of birth, addresses, and Social Security numbers. With that type of personal information exposure for millions of users in one hack alone, the ability of thieves to impersonate victims for financial crimes increases. These types of leaks and hacks are not uncommon. Consider the hack of information from users of 23andme. As cybercrimes proliferate and personal data is made available, layers of authentication become crucial for business operations. In banking, it can be a final stop before fraudsters access a user account or bank’s organizational network. 

Luckily, compliance with authentication standards set out by the FFIEC can support compliance with consumer financial protection laws. 

How Authentication Works in Internet Banking Environments

Each unique institution is granted the leeway to apply its own standards in authentication. That’s because each unique institution has its own risk profile and uniquely intricate technological and operational practices. However, the FFIEC recommends the use of multi-factor authentication (MFA), which is defined as the use of something a user knows, something a user has, and something a user is. The use of memorized secrets, secrets that can be looked up, out-of-band devices, one-time passwords, biometrics, and cryptographic keys are allowed. 

Additionally, the guidance from the council recommends regular evaluation of all known security threat points. Notwithstanding the rise of social engineering or the use of manipulation and deceit to obtain personal identifying information from victims, continued vigilance against the use of simple passwords and single-password-only logins can help retail and commercial financial bank operations remain safe. 

Trends and Updates in Internet Banking Authentication

As described by the FFIEC, old information systems can create uniquely fruitful opportunities for security attacks. In these systems, security patches may not be up to date for various reasons. But it’s not just long-serving and out-of-date systems that create challenges for security. Trends and updates in Internet banking authentication most often center on relatively recent developments like the increased use of third parties and application programming interfaces (APIs). 

Increasingly, even artificial intelligence presents the opportunity for fraud in surprisingly sophisticated ways. We discussed the possibility of cloning a voice to use over the phone as an ID in our introduction. This thwarts voice biometrics, but AI has also shown that it can take a single image of a person and animate it, potentially throwing a wrench in plans banks have to authenticate users by way of a photo ID coupled with a live selfie. This prospect looms large in the risk environment already rife with synthetic identity fraud. Creative solutions remain to be seen but are surely on the horizon. 
BankersHub offers certifications for supervisors, managers, and top-performing staff to help them move up the ladder as leaders in banking. Our eBanking Professional Certification dives deep into topics like “FFIEC Guidance on Authentication in Internet Banking” and fraud. Our eBanking Specialist certification delves into topics such as “Understanding the Identity Theft Red Flags Rule” and “Mobile Security Threats” to enhance your mastery of these topics.


UDAAP: Avoiding Consumer Harm & Monitoring for Consumer Complaints

September 30, 2024 @ 2:00 pm – 3:00 pm – This lending compliance webinar will review best practices, procedures, and tools to strengthen your UDAAP compliance program, as well as review how to incorporate the requirements of the new Fair Debt Collections Practices Act into your UDAAP program.

Read More »

ACH Basics 3-Part Bootcamp

September 23, 2024 – September 25, 2024 @ 2:00 pm – 3:00 pm – This three-part series focuses on the basics of ACH, including the history of the network, defining the parties of ACH transactions, their roles and responsibilities, and the transaction flow and settlement process. In addition, we will cover all aspects of exception item processing, including your options in handling unauthorized transactions, stop payments and revoked authorizations. […]

Read More »
Cash Flow

Why EBITDA Doesn’t Spell Cash Flow

September 24, 2024 @ 12:00 pm – 1:00 pm – EBITDA (Earnings before Interest, Taxes, Depreciation, and Amortization) is a popular measure of cash flow, but it is not accurate, and those who rely on it as an indicator of repayment ability will be deeply disappointed

Read More »

More Posts

14 Effective Deposit Growth Strategies for Banks

Banks face significant challenges in growing their deposit bases in an era of unprecedented competition and evolving consumer expectations. Modern financial institutions must deploy innovative and customer-centric strategies to attract

Digital Banking Frauds

9 Types of Digital Banking Frauds to Be Aware Of

The banking industry has undergone a remarkable transformation in the era of digitization, enabling seamless transactions and improved customer experiences. However, with these advancements come sophisticated threats that target digital


What is EBITDA & Is It Reliable?

EBITDA (Earnings Before Interest, Taxes, Depreciation, and Amortization) is a metric that often sparks lively debate among financial professionals. Stripping out the cost of certain expenses may provide a clearer

What is a Fair Lending Risk Assessment?

A fair lending risk assessment is a critical process financial institutions use to ensure they comply with fair lending regulations. These laws aim to prevent discrimination in lending practices and