Mike Rothman, president and principal analyst of Security Incite, said Federal Financial Institutions Examination Council (FFIEC) regulations might offer a loophole for organizations because they do not prescribe specific solutions to implement.
"It gives institutions the ability to do almost nothing," he said. "I think what the FFIEC has given us is an interesting metaphor to bring up a discussion that has to happen. But I'm not going to come out here and say in front of a couple hundred people that everyone has to buy strong authentication because that is not necessarily the case."
According to the guidelines, single-factor authentication is not acceptable for high-risk transactions. Banks have the freedom to decide how they want to layer additional levels of authentication
Aaron Kechley, senior product manager in the consumer security division at RSA, best known for its authentication tokens, said the government's goal is not to offer a template for compliance - only to serve as a "catalyst" for change.
And customers and vendors are taking notice, he said.
"Customers are coming to us, saying they need to do something," Kechley said. "There's a lot of investment going on in the industry because of this regulatory guidance, and the industry is coming out with a lot of interesting (solutions)."
Chris Voice, CTO of fraud detection vendor Entrust, said customers are slowing their use of online sites because they are worried about identity theft, making the FFIEC guidelines so crucial.
But because there are no formal regulations inserted in the guidelines, institutions that must comply can choose from a bevy of options. That will make it important for organizations to "invest in a platform that allows you to have different pluggable methods for authentication," Kechley said.
The panel said enterprises should choose a solution based on what their business is trying to accomplish. Some will be more costly than others. Meanwhile, others, such as biometrics, have yet to show widespread reliability.
"Work with a solution that delivers what you need," Voice said.
The two-day Security Standard conference, produced by IDG, concluded today.
Click here to email reporter Dan Kaplan.