2-factor authentication by definition means to authenticate a persons by what he has, knows and is or does. 2-factor authentication in the banking industry is increasingly important. Yes 2-factor authentication can be cracked but it is extremely difficult especially when implemented properly. I’d like to quickly review the basics of 2-factor authentication and then perform an analysis of how it can be implemented in the banking industry.
So for those of you that have no clue what 2-factor authentication is this article might be to much but in hope that you can keep up let’s look at an example of two factor authentication. Let’s say Scott works for a bank and currently sits behind a desk processing loans and what not. Currently Scott logs into his PC via a username and password. If 2-factor authentication was implemented at Scott’s bank they could introduce a finger print scanner into the log in process. When Scott sits down at your PC he will have to scan his fingerprint and optionally input a short code in order to log into the PC. Some go as far as to include a smart card (portable device) which has a token that is used during the log in process, Scott swipes his smart card in the finger print scanner before swiping his finger print.
Now let’s say Scott then goes home and wants to check his bank account. He goes to banking industry dot com and inputs his username and password at which point the banking system would prompt Scott for the code off his security token. Scott gains access based on what he knows (password) and what he has (security token).
what he has – (e.g., ID card, secure token, smart card) – in the above example Scott used a smart card locally and a security token remotely
is or does – ( e.q., finger print or retinal pattern) – Scott uses his finger print after the what he has (the smart card)
Finger Print Scanner
what he knows – (e.g., pass phrase, PIN or password) – Scott has to use a password after the smart card and finger print –
By definition multi factor authentication requires the use of solutions from two or more of the three categories of factors, well we used all three locally and 2-factor authentication remotely.
Those are the basics of 2 factor authentication so now look at why and how the banking industry can implement two factor authentication.
Here’s a big slap in the face for you and me. The banking industry would rather turn there cheeks to online bank fraud. I say this because so few banks in the industry have implemented 2-factor authentication for online users. At least uncle Sam is trying to put some pressure on banks to implement secure online banking. The FFIEC released this not long after Hurricane Katrina.
FFIEC Releases Guidance on Authentication in Internet Banking Environment
The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies. Read the rest here
So let’s say the banks wanted to follow the FFIEC’s recommendation (I know some have) here is what they could do and what I feel is the most secure depending on the person and there circumstances.
So here are my top options the banking industry has for 2-factor authentication: TANS, Security token, and finally added security measures AKA ASM. All the bank out there now have added security measures to the login process. It isn’t true two factor authentication but it’s a good step in the right direction. Let’s look at TAN’s and Security Tokens as my preferred method of two factor authentication.
TAN, this is a form of single use (only good one time) password to authorize online banking transactions. TANs are a second layer of security above and beyond the traditional single-password. Implementing TANs is a form of 2-factor authentication.
An outline of how TANs function:
- The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each TAN is alpha numerical and variable in length.
- The user picks up the list from the nearest bank branch office.
- A few days later, the user receives a 5 digit password by mail to the user’s home address. The user is requested to memories the password, destroy the notice and keep the TAN list in a safe place near the PC.
- To log on to his/her account, the user must enter user name and password. This may give access to account information but not the ability to process transactions.
- To perform a transaction, the user enters the request and “signs” the transaction with the TAN. The bank verifies the TAN against the list of TANs they issued. If it is a match, the transaction is processed or if it isn’t match the transaction is rejected.
- The TAN has now been consumed and will not be recognized for any further transactions and if the TAN list is compromised, the user may cancel it by notifying the bank.
TANs work for someone who is organized and can keep up with the TAN list. This option seems a bit dated to me and a pain in the butt. Lets look at Security token.
A security token is an electronic form of one time password and when combined with the standard login process security tokens are the best form of two factor authentication. It’s like an eletronic TAN! and it’s me preferred method to be used for secure 2-factor authentication via the internet… though I doubt many in the banking industry will go this route. You’ll obtain your secure token from the bank and it will look like this picture here. Once you login to the banks web site you’ll input your username and password and if that passes you’ll then input the random one time password displayed on the security token. Just like TANs these electronic tokens work for someone who is organized and can keep up with a small device like this.
Then what most of us see and use are what I call ASM or added security measures such as a combination of controls that recognize a customer’s computer, ask additional challenge questions, and monitor for fraudulent behavior such as multiple incorrect logins or a login from Greece or China where bank fraud is running wild.
While two factor authentication is important and the FFIEC mandated more secure online practices some time ago the banking industry would rather turn the other cheek because it would be too costly for them to protect OUR money. They would rather reimburse us for our losses than stop it from happening in the first place because it’s cheaper for them this way. Think of the cost involved in implementing security tokens or TAN’s for all their customers. So we are stuck with small added security measures which help but let’s be honest here any key stroke logger can capture what you type for your user name, password, and the added security questions. Phishers will get you to login to your bank account via a spoofed site and steal this info with ease from many unsuspecting online users. Two factor authentication with secure tokens or TANs will defeat the phishers and keystroke loggers from doing on going and sometimes unnoticed damage. Please post your comments below.