Best Practices for Implementing a Stronger Level of Authentication

University of Wisconsin Credit Union meets the FFIEC's online authentication deadline with a little help.


With online security on the minds of many credit union executives and the approaching FFIEC guidance deadline for strong online authentication, credit unions are looking for solutions that not only satisfy the federal guidance, but also balance security with end-user convenience.

As credit unions work through the critical phases of the initial risk assessment process, it’s important for them to consider best practices that address deployment before, during and after the new security roll-out is complete. In turn, this will help ensure a stronger security offering as well as the buy-in and approval of members.

The following recommendations are based on Corillian and the University of Wisconsin Credit Union’s (UWCU) real-world experience implementing a stronger level of authentication.


1. Proactively Communicate

The communications campaign around the roll-out of your authentication technology should begin well before the actual launch. Involving your members from the beginning will help drive involvement and acceptance prior to deployment as well as ensure a smooth transition.

UWCU chose to proactively communicate and involve their members in their security enhancement. They included a high-level, brief overview of what users should expect on its Web site.

2. Create Thoughtful Challenge Questions

Selecting a pool of thoughtful and meaningful challenge questions is an important part of a successful implementation. UWCU chose questions that its members “know” and avoided questions that require answers that will typically change over time.

You should also make sure the questions:

  • Are unique from user to user
  • Do not have a fixed list of answers (i.e, numerical “answers”)
  • Allow user and spouse to remember the answers
  • Consider-multicultural issues

Again, involve your members early. Ask a small segment of your member base for input on your challenge questions before you fully implement your new security technology.

Also, consider the size of your question and answer pool. At enrollment, your members will choose five or six questions. To provide flexibility and answer relevance, we recommend a minimum pool size of 25 questions, as the amount of questions generally needs to be four to five times the size of the number of questions that users will have to register.

3. Carefully Define Business Rules

Design your setup and key business rules to ensure it consistently supports your risk analysis and related tactical control plan. Before launch, consider how you want to handle things such as anonymous proxies, and any countries that should be blocked or always challenged.

UWCU recommends issuing a mandatory challenge question if a user has not been challenged for a given period of time – 30 days for example. This approach will remind users that the tool is actively running and the process is working.


1. Testing

It is important to evaluate your authentication technology with one or more test groups prior to launching to the entire member base. For example, UWCU first piloted with its technical and contact center employees and then expanded the pilot to all of their employees. By executing an early test phase, you will have an opportunity to leverage the results to refine your communication plan and drive any system fine-tuning efforts.

2. Implementation

Consider rolling your strong authentication solution out to your user base in phases, rather than all at once. Taking this phased approach can reduce excessive load on your call center.

Also, launch your new authentication technology separately from other online banking system releases and upgrades. Too much change at one time can be difficult for members to handle.

3. Enrollment

During user enrollment, consider making sign-up optional. For example, UWCU chose to allow users to enroll at their convenience by offering a flexibility option to skip the enrollment step for some specified period of time, after which enrollment would be required. Be sure to set a deadline to ensure your members are all enrolled by a target date.

Communication needs to be an ongoing priority throughout your roll-out phase. UWCU presented a Web page explaining how the enrollment process will work and underscored the importance of selecting memorable questions and answers since the same responses are required for access to its Web site.


After launch, closely monitor the challenge rate and the top reasons for challenges. Use the data to fine-tune your administrative configuration. Your security product vendor can also help with tuning and future planning.

Following these best practices can help ensure successful deployment of your strong authentication technology and, most importantly, the acceptance of your member base. Not only did UWCU experience a smooth and successful implementation, the credit union’s stronger authentication solution has successfully blocked 100 percent of the fraudulent logins due to phishing.


About Corillian

Corillian is the market leader of online banking, bill payment and fraud prevention applications to the financial services industry. Corillian's security solutions help its clients reduce the risk of system compromise and increase the confidence of their online members.




July 24, 2006



No comments have been posted yet. Be the first one.