Not a (Consistently) Multi-Factor Solution.
SiteKey attempts to retrieve a “Device ID" from the user’s computer, however, millions of consumers routinely purge cookies, flash, and similar objects from their computers on a regular basis.   When SiteKey cannot retrieve this Device ID, it resorts to soliciting personal information in response to challenge questions, i.e. simply requesting more of what the user "knows".

SiteKey is therefore not a (consistently) multi-factor authentication approach, as defined by the FFIEC and the FDIC.

FFIEC: " By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors

"Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication".

FDIC: " Two-factor authentication uses two of the three types of credentials mentioned above (something a person knows or has or is)".

Sources:
FFIEC: Authentication in an Internet Banking Environment (Updated Guidance Letter), October 12, 2005. Pg 3
FFIEC: FAQ Supplement , August 15, 2006.

FDIC: Putting an End to Account-Hijacking Identity Theft , December 14, 2004. Pg 26
 

Requires the user to disclose numerous pieces of personal information, contrary to FDIC guidelines.
SiteKey requires the user to disclose numerous pieces of personal information in response to challenge questions. In many cases, the disclosure and validation of solicited personal information is SiteKey's only authentication method.

The FDIC, however, has issued numerous warnings against the use of personal information for authentication, citing its weakness and unpopularity with consumers. It should also be noted that the solicitation of personal information on commercial websites is strictly regulated, or even prohibited, by numerous state and federal regulations.

FDIC: "Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally." 

"One study revealed that two-thirds of respondents said they will switch banks if their bank fails to secure their personal information."

SiteKey uses no "strong" authentication methods, contrary to FFIEC guidelines.
SiteKey uses no "strong" authentication methods, relying instead on simple alphanumeric device information, solicited personal information, and copyable images. 

The FFIEC, however has required financial institutions to use methods with "appropriate authentication strength". The FFIEC has further clarified that SiteKey's "shared secret" approach is susceptible to "man-in-the-middle" attacks.

FFIEC: "Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically ensure that their information security program: Identifies risk mitigation actions, including appropriate authentication strength"

"The disadvantage of this [shared secret] method is that it is susceptible to man-in-the-middle attacks, where the fraudster successfully impersonates the user and gains access to the shared secret"
 

All of SiteKey credentials, personal information, and images can be "collected" by fraudsters, contrary to FDIC guidelines.
ALL of SiteKey’s credentials, from the user's account Login ID and their solicited personal information, to the user's pre-selected "shared secret"  image, can be collected by fraudsters.

The FDIC, however, has recommended financial institutions adopt authentication methods which "cannot be collected by fraudsters". 

FDIC: "In the last stage [of a phishing attack], collected credentials are used to access the victim's account. Financial institutions can mitigate this threat with a variety of tools to better identify who is accessing the account. This includes authentication methods which cannot be collected by the fraudster."

SiteKey’s "shared secret" approach is vulnerable to phishing, pharming, and malware, contrary to FFIEC and FDIC guidelines.
In their August 15, 2006 FAQ Supplement, the FFIEC stated that any considered solution should SPECIFICALLY address the risks of phishing, pharming, and malware.

SiteKey is a "shared secret" approach, using a pre-selected static image and the answers to pre-defined personal questions as its "shared secrets". The FDIC, the FFIEC, and numerous security organizations, including SiteKey itself, have acknowledged that "shared secret" approaches, however, do not address the above issues and are vulnerable to man-in-the-middle phishing attacks, and malware.  

FDIC: "The disadvantage of this method is that it is susceptible to man-in-the-middle attacks, where the fraudster successfully impersonates the user and gains access to the shared secret"

Symantec: "an attacker could outwit this system in the following way….” (describing a man-in-the-middle scenario)... Another security flaw can arise. If the user has no stored Device ID cookie on his machine, he will be challenged with alternative methods of authentication. These include sending a password through email or answering a predefined question. An attacker could spoof this re-authentication page."

CR-Labs: "The SiteKey anti-phishing system used by Bank of America and other financial institutions is susceptible to a real-time exploit in which an attacker can create a fake web page that includes a victim’s correct, secret SiteKey image, text phrase and challenge questions....Finding 1: SiteKey is susceptible to a real-time, man-in-the-middle attack . An attacker can create a fake web site that looks like a legitimate Bank of America web site, including a victim’s correct SiteKey secret image and text phrase."

Passmark Security (SiteKey): Passmark Sitekey CTO, Louie Gasparini, confirmed in an recent interview that a "big hole" in the Sitekey approach was its vulnerability to malware, trojans, viruses or worms. Said Gasparini, “If malware is on your machine, it's much more difficult for everybody.”

IT Management News: "The SiteKey system fails... to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false-storefront attack...the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained."

Sources:
FFIEC: Authentication in an Internet Banking Environment (Updated Guidance Letter), October 12, 2005. Pg 13
FDIC: Putting an End to Account-Hijacking Identity Theft , December 14, 2004. Pg 27
CR-Labs: " Fraud Vulnerabilities in SiteKey Security at Bank of America, July 18, 2006."
Symantec Corporation: “Phishing In The Middle Of The Stream” - Today’s Threats To Online Banking.   From the proceedings of the AVAR 2005 conference.
Baseline Magazine: "Computer Security: Your 5-Step Survival Guide", May 15, 2006.
IT Management News: " PassMark's SiteKey - Answering The Wrong Question". July 26, 2005