by Brian Kelley
Why don’t banks make you use multi-factor authentication? Gmail has two-factor authentication you can set up right now. You can do the same thing for Apple and Microsoft accounts too. Wisely, popular online payment services PayPal, Venmo, and Square offer and recommend two-factor authentication as well. But setting up 2FA at your bank? You’d be hard pressed to find one that even offers it, let alone encourages you to set it up.
There’s a seeming reluctance to make reliable MFA the norm in banking Passwords and their backup “security questions” offer a level of protection that’s laughable, but banks continue to use them. Do banks know something we don’t, or is their internal monitoring of customers iron-clad enough that they don’t even bother offering to customers?
Granted, major banks such as BoA, Citibank, and JPMorgan Chase offer One-Time passwords as an option, and it remains that: optional. Having users adopt the second factor of authentication willingly is challenging. Yes, it puts important hurdles in front of hackers that makes using passwords a tiny bit more useful but also puts the same hurdle upon the user. It almost doesn’t matter how convenient the type of 2FA is. But the user views it as an extra step with no perceived benefit.
It comes down to who is responsible for the change. Banks and financial data centers can implement the most secure login method available, but if it’s too obtuse for the average customer, then they’ll take their money elsewhere. What an interesting dilemma.
Let’s compare two of the most viable options of logging in that replace passwords and the merits of both of them.
Biometrics
We’ve featured the breakdown of banks who are adopting biometric scanning applications already. Almost every major bank has invested in the use of mobile biometrics, and they meet with a certain degree of success. It is the ultimate level of convenience when you take it at face value. Your thumbprints and retinas are enough to set you apart, and you can’t misplace or forget them. Two things that other authentication methods have a hard time-solving.
And to summarize, this is potentially the greatest hazard behind biometrics. It’s much more sophisticated, but it’s possible to fake thumbprints and retinas, or the someone can fool the authentication system itself. And unless there are effective methods that can confirm and authorize the true user’s biometric data, it will ultimately be taken advantage of similar to the way passwords are taken advantage of now.
Depending on the type of scanner and its sophistication, fingerprint and retinal data can simply be stolen and repurposed for unauthorized entry. And as far as thumbprint scanners go on the current generation of mobile devices, even the completely wrong thumb has an unacceptable success ratewhen accessing a phone. Even the methods of faking thumbprints have gotten much more success. In these cases, if thumb scan data gets stolen off of a company database, they will have enormous black market value in the same way a stolen list of usernames can.
Biometrics certainly serve a great purpose as an additional authentication factor. But unfortunately, as the primary login method, it’s quite exploitable.
One-Time Passwords
A pretty common practice is sending temporary passcodes to a mobile device when you want to log in. On paper, it seems to make sense. But the problem is that these types of notifications never really determine that the user who’s getting them is the actual user.
There are quite a few ways one could intercept one time passwords without having to physically steal the user’s device, which is the most obvious yet improbable way of circumventing OTPs. It’s far more likely that the device or phone number receiving the OTP is remotely compromised. All the pieces are there for the taking: Your device ID can be stolen in an intrusion or bought on the black market from someone who already did. It still doesn’t address social engineering either: The trick of calling a service center and impersonating a user to get phone or account info still works. So do phishing scams.
Once again, it’s more efficient as an additional factor as opposed to a primary authentication method. In this case, most applications of OTP’s in this first-factor configuration are extremely inconvenient.
Tokens and Authenticators
Installing EMV chips onto credit and bank cards was a revolution in many ways. For one, it’s utilizing multiple layers of security and redundancies that make it difficult to decipher the data on the card. It makes it much harder to steal data across a network when all you can steal is gibberish. Employing algorithmic computational processes when storing data ensures that it is unreadable without the original device.
It’s at this point where the only true worry you have of the card or security device is someone stealing it. Or it could be misplaced, which is a far more likely scenario. In the end, like all password alternatives, the biggest element of failure stems from human error — or human trickery.
The effectiveness of a login method could mean a lot of things. There’s no doubt the cards or smartphones in our pockets undoubtedly belong to us: Multiple institutions and other humans have corroborated our identities when signing up for bank accounts or buying a phone. So it stands to reason that these trusted devices can vouch for the owner’s authenticity. Passwords and temporary passwords don’t fit these criteria. Biometric data, unfortunately, is only as secure as our current generation of scanning devices allow. It’s not quite there yet.
So, if you can, a physical device that you can keep in your pocket that can accurately and reliably confirm your identity is the key to solving the user interface dilemma. And it would certainly be more convenient than resetting passwords. Or worse, trying to prove you’re the real deal when someone steals your thumbprint data.
