Banking on two-step authentication

I do my banking and money management with a U.S.-based global financial planning company. Like most such companies, this one is pushing its customers toward the Web for conducting transactions. Self-service, in the form of online bill paying and account management, is far more cost-effective than having lots of branches and people in the field.

I don't mind, because I like self-service for its convenience. But I've soured on the idea of using a PC to access my funds. Proliferating phishing schemes and spyware (such as keystroke loggers) make it risky for people to access their accounts over the open Internet. It makes me nervous to think that others are only a user ID and password away from my total portfolio.

I expressed my concerns to my financial manager, asking if his company offers customers two-step authentication. That led to a discussion with a security officer from the IT department, who told me that the company is investigating how and even whether it would implement two-step authentication. She said it is at least a year away. "Most of our customers don't want it," she said. "They think it's bad enough they have to enter a password twice to get into their accounts." What's worse is that she told me that this reaction is the norm for her industry in the United States.

I was stunned. Surely I'm not the only consumer to read the headlines about identity theft and unauthorized access to private information online. I can't be the first person who wants something a bit more secure than a single password to move my money around. These issues aren't new to the security officer. She's well aware of the potential for problems and the need for stronger security. In her defense, I'd have to say that her company has tied her hands, claiming that customers prefer convenience over confidence.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I do my banking and money management with a U.S.-based global financial planning company. Like most such companies, this one is pushing its customers toward the Web for conducting transactions. Self-service, in the form of online bill paying and account management, is far more cost-effective than having lots of branches and people in the field.

I don't mind, because I like self-service for its convenience. But I've soured on the idea of using a PC to access my funds. Proliferating phishing schemes and spyware (such as keystroke loggers) make it risky for people to access their accounts over the open Internet. It makes me nervous to think that others are only a user ID and password away from my total portfolio.

I expressed my concerns to my financial manager, asking if his company offers customers two-step authentication. That led to a discussion with a security officer from the IT department, who told me that the company is investigating how and even whether it would implement two-step authentication. She said it is at least a year away. "Most of our customers don't want it," she said. "They think it's bad enough they have to enter a password twice to get into their accounts." What's worse is that she told me that this reaction is the norm for her industry in the United States.

I was stunned. Surely I'm not the only consumer to read the headlines about identity theft and unauthorized access to private information online. I can't be the first person who wants something a bit more secure than a single password to move my money around. These issues aren't new to the security officer. She's well aware of the potential for problems and the need for stronger security. In her defense, I'd have to say that her company has tied her hands, claiming that customers prefer convenience over confidence.

This is exactly the kind of thinking that leads to headlines screaming, "Thousands of accounts at XYZ bank are compromised when identity thieves steal password information." CEOs seem more concerned with controlling costs than selling security as a feature.

What I'm asking for is not complicated, and it doesn't have to be costly. I want my financial company to have an additional way to identify me before it gives me full access to my money via the Internet. A token, secure card or even a single-use password would make me feel better. I'd even be willing to pay for it. The bank has already given me a card to use at the automated teller machine, forcing me to know something (my password) and have something (my card) at the same time. Can't I have something similar at home?

European financial companies have long known the benefits of two-step authentication and have devised several simple solutions. One German bank, for instance, issues its customers a hard-copy list of transaction authorization numbers (TAN). The TANs are six digits and appear to be randomly selected, which makes them hard to guess. To make a transaction online, customers must log on using their regular user ID and password. Then they must enter an unused TAN from their list. If they enter a TAN that they have previously used or that is not on their list, their transaction won't go through. This may seem to be an elementary form of security, but it is inexpensive to deploy, easy for the consumer to understand and better than nothing.