Skip to content
 

Opting Out of Multi-factor Authentication

Answered by: 
Randy Carey

Question: 
We have had several customers express ardent displeasure with multi-factor authentication and the desire to be "opted out." Our system allows for opt-out but an FDIC examiner has told us that opt-out should never be allowed. I understand that it should be extremely limited, but if a very good customer says "turn it off," why should they not have the choice since it is being put in place for their security - provided they are willing to sign some kind of hold harmless agreement. From a Regulatory compliance standpoint we are meeting our obligations by putting multi-factor generally in place, but is the expectation that no customer ever be given a choice?
Answer: 

From the FFIEC FAQ:

Q-1- May an institution permit customers to “opt-out” of additional authentication controls?

A-1- No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.

The complete document can be found here.

First published on BankersOnline.com 3/12/07

First published on 03/12/2007

Filed under: 
Compliance
Security
Technology
Filed under compliance as: 
FDIC
FFIEC
IT
Security
Filed under security as: 
Authentication
FDIC
FFIEC
IT
Security
Filed under technology as: 
Authentication
FDIC
FFIEC
IT
Security

Report a problem with this page

Search Topics