Zerify Inc (ZRFY)

[WBCTrader]

Umm, you even have it quoted

your really confused

the 2001 guidance MFA was A standard

the 2006 guidance you keep referring to was just UPDATED 2001 guidance so that institutions would risk assess their customers/ online transactions to see which transactions/customers Single factor would be inadequate for, customer awareness and aditional enhanced security as explained in the first paragraph of the 2006 guidance you just linked.

The guidance, issued on October 12, 2005, updates the FFIEC’s guidance entitled Authentication in an Electronic Banking Environment issued in 2001. It addresses the need for risk based
assessments, customer awareness, and enhanced security measures to authenticate customers using Internet-based products and services that process high risk transactions involving access to customer information or the movement of funds to other parties. The attached FAQs are a representation of questions the Agencies have
received from financial institutions, Agency examiners, and technology service providers and they address the scope
of the guidance, risk assessments, the time frame for implementation, and other issues.

However, the guidance identifies circumstances under which the agencies would view the use of single factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted.

Here is the part you left out.
when risk assessments indicate the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet banking and electronic commerce activities, including account inquiry, bill payment, and account aggregation. However,
financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming,malware,and the evolving sophistication
of compromise techniques. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication,
layered security, or other controls reasonably calculated to mitigate those risks

Now I think this is where you are confused, if you have access to customer information, or your moving money you need MFA, layered security or other controls.

AS I have stated many times. IN 2001 MFA was here and A industry standard, there are many forms of MFA and oob/mfa Not the only form acceptable, but A standard.


The 2012 Guidance further expanded the 2001 and 2006 to cover OOB/MFA for High risk transactions. and as show before

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

So if you log into your bank account online and can see customer info (YOU CAN, IT's your bank account, statements, images, etc) or can move money to "other parties". Single factor authentication HAS BEEN INADEQUATE since 2001, and MFA, layered security, or other access controls are needed, since 2012 oob/mfa!

Here are all 3 FFIEC standards
2001

2006
2012 regs


As stated and proven, mfa has been a industry standard since 2001,
OOB/MFA has been industry standard since 2012