On October 15, the Financial Industry Regulatory Authority (FINRA) released an information notice (Notice) providing additional background on authentication techniques for firms to consider as they implement cybersecurity authentication programs.
The Notice provides an overview of authentication factors that may be based on various categories of information, including PINs or passwords, “hard” physical tokens (such as key FOBs) and “soft” tokens (such as mobile phone app) that generate temporary or time-based passwords.
The Notice clarifies that the use of single-factor authentication may subject broker-dealers and customers to heightened risk of attacks on password credentials, and represent the vast majority of the hacking tactics associated with reported breaches. FINRA specifically emphasized that the use of multi-factor authentication, which uses two or more different types of factors or secrets, significantly reduces the likelihood that the exposure of a single credential will result in account compromise.
The Notice is available here.