Similarly strong authentication measures such as two-factor authentication don't offer protection against so-called man-in-the-middle attacks where hackers are able to intercept and modify the traffic between two parties.

Strong authentication "certainly isn't a silver bullet," said Melissa Auchter, CIO at the Parda Federal Credit Union, an 18,000-member financial institution in Rochester, Mich. "It just protects one doorway. It's one more measure in a whole comprehensive approach to protecting" data assets, she said.

Parda has just finished rolling out a multi-factor authentication product from Issaquah, Wash.-based BioPassword Inc. that combines a user's standard log-in credentials with information about their keyboard typing rhythm to authenticate users to their accounts. The tool meets FFIEC's strong authentication requirement, but is only part of a layered defense that includes transaction-level fraud monitoring, Auchetr said.

The University of Wisconsin Credit Union in Madison has for the past year used technology from Corillian Corp. to authenticate users during log-in and, to a limited extent, at the transaction stage. Corillian's technology lets the credit union profile users' systems and their online behavior and then challenge them to provide extra proof of identity if there is a change from the norm. Looking ahead, the credit union plans to complement those measures with a stronger "out-of-band" process, where automated phone calls will be made to account holders to authenticate their identity if there's reason to doubt it, said Eric Bangerter, the credit union's director of Internet services.

The move is necessary because phishers have begun to figure out how to compromise most challenge/response forms of strong authentication, he said. "Eventually, I would like to eliminate the challenge questions completely because they don't add much to security" beyond what is offered by passwords, Bangerter said.