Why do I have to answer challenge questions?

Financial institution sites require that you answer security questions or similar because of a regulatory requirement, requiring what is called 'dual authentication'.  Below is a copy of a press release about the requirements.

October 18, 2005

Regulatory Agencies Mandate Dual Authentication

The Federal Financial Institutions Examinations Council (FFIEC?which includes FDIC, Federal Reserve Bank, OCC, OTS, National Credit Union Administration, and state regulators) adopted revised Guidance last week that updates guidance it issued in 2001 entitled Authentication in an Electronic Banking Environment. The federal banking agencies issued directions to financial institutions that they supervise that the agencies expect institutions to fully comply with the revised guidance by the end of 2006.

Basically, FFIEC considers "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." In the future, banks will have to implement "multifactor authentication, layered security, or other controls."

The use of user IDs and passwords, a single authentication technique, as the sole means of access to online banking will no longer be acceptable. Soon, the most commonly used technique to gain access to your bank's online banking system will seem as antiquated as the Model T seems to current car owners.

The Guidance breaks down "authentication factors" into three broad categories:
  • Something the user knows (e.g., password, PIN);
  •  Something the user has (e.g., ATM card, smart card); and
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).