Desert Schools Federal Credit Union in Phoenix is using a similar authentication approach based on technology from Santa Clara, Calif.-based Bharosa Inc. to meet the FFIEC's guidelines. And like Zions, the credit union was already working toward multifactor authentication when the guidelines were released.

"It kind of moved things up for us," CIO Ron Amstutz said, adding that he thought the FFIEC was quite clear on what it wants banks to do.

The FFIEC's decision to not specify the use of any authentication methods may have caused some confusion early on, said Eric Bangerter, director of Internet services at the University of Wisconsin Credit Union in Madison. But, he added, it has allowed banks to choose the technologies that are best suited to their needs.

"I think it's a good thing, because it gives you flexibility," Bangerter said. He also began investigating strong authentication approaches before the guidelines were issued. Now the credit union has deployed technology from Reston, Va.-based Corillian Corp. that lets it profile users' systems and their online behavior and then challenge them to provide extra credentials if there is a change from the norm.

Addressing audit angst