WASHINGTON – The following are some key points culled from the FFIEC's guidance on authenticating users online. NCUA is expected to release a Letter to CUs on the issue later this year. Secure password measures: * Six character passwords that are alpha-numeric can be more effective than the common four character passwords; * Restrict the use of automatic log-in features; * Establish strong procedures for disabling passwords; * Establish strong procedures for password resets by forcing a password change at the next log-on; * Review password exception reports; * Lock users out after five failed attempts to log-on to a system; * Terminate user connections after a specified interval of inactivity. Industry practice is generally not more than 20 to 30 minutes; * Incorporate mult-factor authentication for sensitive internal or high value systems; Ways to verify personal information online for account origination: * Positive Verification. Compare a user's identity to a series of questions related to information from a trusted database (e.g., a reliable credit report). * Logical Verification. Ensure information provided by users is logically consistent (e.g., Do the telephone area code, ZIP code and street address match?). * Negative Verification. Application information can be compared against fraud databases to determine whether any of the information is associated with known incidents of fraudulent behavior.