Two-Factor Authentication with Cell Phones

Here's a good idea:

ASB and Bank Direct's internet banking customers will need to have their cellphone close to hand if they want to use the net to transfer more than $2500 into another account from December.

ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a "two factor authentication" system to shut out online fraudsters, unveiling details of the service on Friday.

After logging on to internet banking, customers who want to remit more than $2500 into a third party account will receive an eight-digit text message to their cellphone, which they will need to enter online within three minutes to complete the transaction.

It's more secure than a simple username and password. It's easy to implement, with no extra hardware required (assuming your customers already have cellphones). It's easy for the customers to understand and to do. What's not to like?

Posted on November 23, 2004 at 9:41 AM • 38 Comments

Comments

FuzzyNovember 23, 2004 10:25 AM

I realize that the question "What's not to like" was meant to be rhetorical, but actually there are a few things.

#1 - This requires you to divulge your cellular phone number to your bank. Who can then use/sell or otherwise dispose of the information. Bad for privacy.

#2 - There is no information on how the bank obtains the phone number. It may well be possible to change the phone number online. If so, the potential for fraud is lessened but hardly removed. The person attempting the fraud changes the phone number and then makes the transaction (and then potentially changes the phone number back).

#3 - It is not clear to me how much fraud this will catch. What percentage of fraudulent orders are over $2500? No more ordering $3000 laptops but a $2400 one will slip right past.

#4 - Assuming the fraud is connected to a credit card theft (as opposed to a credit number list purchased from the Internet), this now provides an additional incentive to steal the mobile phone (a popular target for theft in the first place).

#5 - For convenience, multipurpose devices are good. In my limited opinion, they not necessarily good. Single task devices can be better.

Nick OwenNovember 23, 2004 10:29 AM

There are known security issues with using text-messaging. When we were first getting started, we evaluated using text-messaging to deliver one-time passcodes, but found that most carriers didn't implement encryption and that text messages sat on their servers unencrypted. Moreover, we found that about 10-15% of all messages went undelivered or somewhere else altogether.

We ended up using asymmetric encryption, which allows us to have a cell phone and a PC client.

Bob LeeNovember 23, 2004 11:16 AM

Re: Two-Factor Authentication with Cell Phones.

Wouldn't e-mailing them a link to a confirmation page be just as effective? Unless of course someone has hijacked both the email and bank accounts.

SrijithNovember 23, 2004 11:17 AM

Most banks in Singapore have started to use a similar system, after several thousand $s were lost due to fraudulent transfers.

The way it works is like this:

- I need to setup a new bank transfer mechanism once perl recepient account.

- every time I need to set this up, I need to use the 4 digit (if I remember correctly) that is sent via SMS to my mobile phone to authorise the setup.

- If you do not have a mobile phone, you can retrieve the PIN using phone banking (whose username and passwd are different from the Internet banking system)

- You use your ATM card at an ATM machine to let the bank know of your mobile phone number.

The only difference in this system is that the two-Factor authentication is always done only once per recepient account, irrespective of the amount that has to be transferred.

Trey JacksonNovember 23, 2004 11:21 AM

How about the obvious: What if you don't own a cell phone? Perhaps it's misplaced?

What if you want to use a blackberry?
Or how about email?

What about instant messaging on the computer?

Fix the first level of security, don't patch on extra layers of insecure system. It just makes it harder for the average Joe to get their work done. The thieves will just do more transfers at a lower amount.

Asheesh LaroiaNovember 23, 2004 2:29 PM

One perceived disadvantage would be that many cell phone users (including me) pay per text message. I'll leave fleshing out if this is a disadvantage (or a stealth advantage!) to other posters.

Davi OttenheimerNovember 23, 2004 2:30 PM

The big problem seems to be that text messaging has no SPAM filtering. Once you turn it on, and give your address/number to companies, it will not be long before you have to turn it off to avoid the annoyances and (per message) fees for SPAM on your phone. The phone companies we talked with said they are only just investigating how/whether to use filtering on messages.

Terence TanNovember 23, 2004 4:38 PM

Keep in mind that this is just a high-tech version of credit cards, when you make a big purchase, someone from the bank will call your home (or work) number to confirm that it's really you and that you want the transaction made.

Brent DaxNovember 23, 2004 7:52 PM

Such a system might not work well in America, but much of the world has incredible cell-phone penetration. In general, people in those areas are more likely to know how to use "advanced" features like text messaging as well.

I do think this could be easily done with a normal phone call, though. Just give them a list of phone numbers ahead of time (home, work, cell, mistress's house), and when you perform the transaction, select the phone you want them to call from a drop-down list.

pigletNovember 23, 2004 9:00 PM

I completely agree with Fuzzy above and also with Trey Jackson. Yes, I don't own and plan never to own a cell phone. Any bank that implements such a scheme would lose me as a customer. Moreover, it's really no good security. We know, and Schneier has reported on this repeatedly, that cell phones are excellent targets for attack. Combining an insufficient security model with an authentification via a vulnerable device looks likely to make things worse, not better.

I have an anecdote of my own to tell. My Canadian bank now allows me to make money transfers via internet but for "authentification", I have to enter my social security number and birth date. Neither of those data are secret, of course. Moreover, the scheme is just another incentive to steal SSNs (privacy legislation has been enacted to eliminate SSN dissemination - the bank scheme is actually illegal).

The obvious solution to internet banking security - transaction codes - has been successfully tested for years. Why don't banks just do the obvious and introduce them?

WiseguyNovember 24, 2004 4:15 AM

"within three minutes"? I find it surprising how people think of IP and SMS more and more as a service guaranteeing timely delivery, while, from a theoretical point of view, both protocols are asynchronous and therefore do not make any statement as to when a message will be delivered. I have no doubts that the system will work well, even though it's inherently flawed.

Neil BartlettNovember 24, 2004 6:46 AM

This is actually just the same scheme as the one-time PINs sent out through the post by German and Japanese banks (and perhaps others). It simply takes advantage of the speed of SMS delivery to supply those PINs on demand rather than in advance.

Sure the bank might send to the wrong mobile number, but they might also send your monthly statements to the wrong street address. You have to keep an eye on the records your bank keeps about you. And if it goes to the wrong number, so what? You get inconvenienced because you can't do the transfer, but whoever receives the PIN can't use it either. It's failsafe - a bit of inconvenience is better than being robbed.

Sure the bank might start sending spam SMSes, but this is becoming a general problem anyway and I predict phones will start implementing spam filters soon, just the same as email clients. Also some countries, eg the UK, offer an opt-in register making it illegal to send unsolicited messages to numbers on that register.

Finally, you might not have a mobile phone, but this article was about New Zealand where probably more people have mobile phones than bank accounts. Also the trigger limit is not as permissive as some respondents believed: 2500 kiwi dollars is only about 1700 US dollars.

Wes GNovember 24, 2004 8:22 AM

As some people have mentioned there are some weaknesses in this system in that text messages are sent in plaintext etc. However, it's far from trivial for attackers on the other side of the world to gain access to your phone or breach the integrity of your bank or cellphone providers network in order to get the one time PIN. This should be enough to negate the effectiveness of run-of-the-mill remote "phishing" attacks (I'd imagine these account for a large percentage of attacks).

Obviously, a determinded attacker given the resources would be able to defeat the system but that would require greater resources and expose the attacker to great risk.

As Bruce frequently points out all security is a balance between cost (in terms of convenience and cold hard cash) and benefit (the increase in level of effort required to defeat particular security measures).

In this case the cost is relatively low: cellphones are ubiquitous in many countries, text messaging servies are relatively cheap and speedy.
In contrast the level of effort & resources required to exploit weaknesses in this system have increased dramatically; an attacker no longer just requires access to open relays to spam people with emails and internet access to exploit the niave recepients who respond with their details as is the same for simple "phishing" attacks (which can be done via identity obscuring botnets), for example. Attackers would now need users to respond with their details and then be able to gain access to that users phone _or_ be able to breach bank/cellphone providers security to gain access to the PIN/Code required to complete the transaction. Bypassing the extra factor of authentication opens up the attacker to greater risk (calling up the bank to try a social engineering attack and get them to change a customers cellphone number, for example) and requires more time and resources. So, on balance, I'd have no problem with my bank implementing this or a similar measure.

Clive RobinsonNovember 24, 2004 10:43 AM

Without stating the "bl--ding obvious" any person who thinks of trying to implement a system around SMS does not understand how it works...

I was at a European Security Course in Stokholm funded by the EU in Sept 2000 (IPCS2K), when I proposed an exact similar solution used to log into a mix-network to provide authentication via an "active token" for a secure EMail and banking transaction service. However after the course I investigated further (he a good idea needs implementing/patenting), there are a couple of fundimental problems,

1, No encryption
2, easy to spoof
3, Increadibly easy to eveasdrop
4, SMS delivery is unreliable

Although all of these have been mentioned above all but the last have solutions that could be easily be built into a mobile phone (I used to be involved with the design of cordles/DECT/mobile phones several years ago). The last cannot be solved reliably due to the design of the cellular network.

Due to the size of the network (and the problems involved with data transfer) the major nodes in the network do not know where a mobile phone is within the network (only the sub-node / cell cluster where you are knows this) The network does however know where you where when you were last "active" ie switched the phone on, where you last made a call, or the mobile re-registered it's self.

Very simplistically if a call comes in for you the major node checks in it's database that your mobile is shown to be switched on and in which sub-node you where last active. It then sends a message to that node indicating a call is comming in. The sub-node then checks it's self and it's neighbours for your current location (in some cases by following handover messages). When you have been located the sub-node that you are in informas the major node that you are there and then the call is switched to that node, and your phone starts to ring.

From the network prospective voice calls are considered to be "timley" and primary trafic and the network will try it's best to connect the call. SMS messages are regarded as non timley and secondary trafic. That is for an SMS the major node will (if the bandwidth is available) send the information to the sub-node you where last known to be in, if you are not there then the message is tagged as undelivered, when you make/receive a call or your mobile re-registers then the network will try to send the SMS again to the new sub-node you are known to be in.

Although this method cuts the signalling information down on the network dramatically it does make secondary trafic both untimley (could take upto 8 hours to be delivered on some busy networks) and unreliable (in that on a congested network where the user moves around it might never be delivered).

Are the phone companies going to change this, probably not, they have already collected your money when you send an SMS, and (if you read your contract) they are in most cases not required to deliver it, just make a "reasonable" effort. The level of work required to upgrade the network to make SMS reliable and timley would not be worth the cost involved.

The solution to the problem (that works) involves using an Out Bound (OB) Interactive Voice Recognition (IVR) system. The Banks OB-IVR system calls you, you say a pass phrase which it then checks (ie a spoken pin number), It then asks you to say a number that appears on your computer screen (the transaction number), if you get that right it then tells you a number (the confirmation code) that you have to type in and send within a few seconds.

I built an experimental system and it worked well and appeared to be reasonably reliable. Oh and the Idea is not patented but it has been published so you can use the idea freely (patents work differently in the UK and Europe to the US).

ArikNovember 24, 2004 11:50 AM

Despite SMS being insecure, prone to eavesdropping, spoofing and unreliable, sending a code which is valid for 3 minutes still constitutes as 'something you have' in my book.

Show me a single attack on this system that exploits the fact that SMS is insecure, then we'll have something to discuss.

-- Arik

Martin ForssenNovember 24, 2004 12:14 PM

I does not matter that the system does not guarantee 100% delivery of the SMS since the users instinctively know how to work around that problem. Just try again, the next SMS will most probably get through.

pigletNovember 24, 2004 12:40 PM

To Neil Bartlett: if the cell phone scheme is equivalent to the transaction code scheme used by tens of millions of internet banking customers in Germany, Switzerland, the Netherlands, Scandinavia and elsewhere, why the extra hassel with the cell phone? Why opt for a scheme that is more complicated, onvolves more layers, and is less secure? In the case of the transaction codes, the codes and the password are sent to the customer separately by registered mail. A successful attacker has to gain physical acess to the code sheet which usually involves breaking into your house. In the case of the cell phone, the risk that the cell phone is stolen is much higher as it is taken everywhere. Moreover, any number of attacks on the SMS communication are at least imaginable. Maybe this is only theoretical, maybe not, but its foolish to rely on an unsecure system on the assumption that the attack "seems to be" unlikely or that it is "far from trivial" for an attacker. And finally, I want all my transactions to be secure. The very fact that this cell phone authentification is only used exceptionally proves that it is not very practical. With TAN codes, *every* transaction is secure.

Arik: "Show me a single attack on this system that exploits the fact that SMS is insecure, then we'll have something to discuss." I don't even want to start to think about all possible attacks. I'll leave that to the specialists (Bruce?). This is simply the wrong attitude towards security. It's enough to know that a system has weaknesses. We don't have to wait until it was obviously broken before it's time to think of something better. The only justification for a weak system would be that a strong system would be much more expensive for the additional security to be worthwile. But if a stronger and unexpensive system already exists and has been proven, there is simply no justification to follow a dangerous route.

Keith ErskineNovember 24, 2004 12:57 PM

When I was at Security Dynamics (now RSA), one of our customers did a similar hack with the server software that controlled the tokens. The server had the ability to generate an emergency token number which is normally used when someone losses a token, but needs access. All they did was route the emergency token number via SMS, and the user does what they normally do for access (token number + PIN).

rediguanaNovember 24, 2004 3:18 PM

I'm an ASB/BankDirect customer and I'm going to have this forced on me come December 6. I have so many issues with this system... You are forced to use a mobile phone, You have to pay for the text messages that they send, You have to do your Internet banking from an area with mobile phone coverage, Mobile phones are not tamper-resistant, Phones/ESN's can be cloned, You have to pay for an international toll call if you are overseas and don't have your mobile phone, Businesses will have to provide staff that manage the accounts a mobile phone to do the banking, You must be capable of receiving and reading test messages, remember some people just like them to be phones (not everyone in society is capable, but you'd hope that those that can use a computer are able to use text messaging), What happens if different people (with different mobile phones) manage the bank account? Think husband and wife, or a business that may have 2-3 different people managing the online banking. Will the system handle multiple mobile phones? (Yes you can do internet banking on those accounts that only require a single signatory, but multiple people can access), Text messages often don't arrive within 3 minutes. I would have been stoked to have a decent two-factor authentication system, but using a mobile phone has the potential to be a real pain for the reasons mentioned above. I've been tracking some news articles and suchlike - click on my name to read more.

lwoggardnerNovember 24, 2004 7:05 PM

As Clive Robinson points out above Outbound IVR is a good alternative to the issues with SMS as it can be used with all kinds of phones and doesn't suffer the potential latency issues.

There are already some vendors who offer this kind of technology.

pigletNovember 25, 2004 2:16 PM

"The solution to the problem (that works) involves using an Out Bound (OB) Interactive Voice Recognition (IVR) system. The Banks OB-IVR system calls you, you say a pass phrase which it then checks (ie a spoken pin number), It then asks you to say a number that appears on your computer screen (the transaction number), if you get that right it then tells you a number (the confirmation code) that you have to type in and send within a few seconds."
Very nice. Very safe (sort of). And very cumbersome, expensive, and doesn't scale well. But hey, why implement a relatively simple solution if you can have it much more complicated? Same as with voting machines. It's really fun to read these pages, especially the comments.

Dave PearceNovember 25, 2004 9:32 PM

I am an ASB customer and I think this is a great idea. In terms of some of the issue raised by others, to register for the system, you must contact the bank either via a 'personal banker' who knows you personally, or answer a series of identifying questions with their call centre to register your phone number. There are also a large class of transactions to verified funds recipients (eg the Inland Revenue, and registered utility companies, etc) that do not require the authentication. The online banking system it applies to is only intended for personal customers, not businesses which should be using the Fastnet Office application, so piglet's objections to multiple users are not relevant. The fee is only 25c and only applies to transactions over $2500. at 0.01% it must be one of the smallest bank transaction fees going. It will certainly be more secure and less vulnerable to fraud/spoofing than the current system - I reckon good on ASB!

ArikNovember 26, 2004 11:11 AM

Piglet:

"I don't even want to start to think about all possible attacks. I'll leave that to the specialists (Bruce?). This is simply the wrong attitude towards security. It's enough to know that a system has weaknesses. We don't have to wait until it was obviously broken before it's time to think of something better."

So you reasoning is thus:

1. SMS security is bad
2. SMS is used as a mechanism to provide 2 factor authentication
3. Hence the 2 factor authentication scheme is broken

The logic weakness in these argument is that for some reason you assume that the SMS weakness reflects on the weakness of the authentication scheme.

It does, but not very much. It's not less strong than a password mechanism to begin with, and the cost of attacking it (cloning the phone, eavesdropping those SMS messages) is very high.

There is ***NOTHING*** that reduces the security of the system if the SMS system is unreliable, or that the messages are stored on the telco's equipment forever.

-- Arik

pigletNovember 26, 2004 1:14 PM

So we have one ASB customer who is angry and one who is happy. The degree of satisfaction with the PIN/TAN system universally used in Germany is about 100%. I think, apart from security issues, scalability is the biggest problem. Why are only important transactions secured? I guess it is because clients would get angry if they had to use cell phone authentication all the time. But a system cannot be called secure if an attacker can happily steal steal 2400$ each in an automatized attack on thousands of victims. I admit that an attack on the cell phone authentication will be difficult to automatize. For the time being, attackers will probably settle for banks offering easier targets, which abound, or for amounts

pigletNovember 26, 2004 1:28 PM

"There is ***NOTHING*** that reduces the security of the system if the SMS system is unreliable". Arik, I didn't confound unreliability with security vulnerability. Unreliability may not be a security problem but it may be a big problem for the user if he's trying to make a time sensitive transaction, like stock exchange, and doesn't know how long he'll have to wait for his SMS or if, for some stupid technical reason, it may not arrive at all. Security vulnerability is a different issue and it is a big one.

rediguanaNovember 26, 2004 5:59 PM

I ended up having about 25 minute phonecall with Clayton Wakefield, who is the Manager is charge of Technology and Operations for ASB. We had a good discussion and he was very helpful. We agreed that NetCode is good for consumers and is a reasonable payoff between cost, convenience and risk as most consumers won't have many payments going over $2.5k. The threshold however is too low for business, because of the general higher volumes and values. Note FastNet Office is not suitable for most small businesses (1-5 people, which make up 90%+ of businesses in NZ) so a lot of small businesses do use and will continue to use FastNet Classic - as will ours. I think the short term solution that is required is that bank customers must have the option to change the $2.5k threshold to a value that suits their useage of the banking facility and their risk level. Longer term, I am hopeful that as the price of fobs like RSA's SecurID move out of the corporate and government realm we will see those as the solution for consumers - lets face it, using IVR or Mobile Phones for two-factor authentication is nothing more than a cheap option because the ideal fobs are too expensive currently. Perhaps ASB should look at supplying fobs to higerh value/transaction users instead of using a cellphone - ASB recognises this. Currently they only provide fobs for the FX users. They have had little feedback at this stage, so if you have concerns try to let them know - I didn't have much joy with the Call Centre, try emailing custserv at asbbank dot co dot nz and if you make intelligent comments they will listen.

JustinNovember 27, 2004 1:58 AM

One problem with this -- I'm an Irish citizen with an Irish bank account, which I access via their online banking site, living in the US. My SMS mobile phone doesn't work here -- so I would never receive my authentication message.

I suppose they could redefine the TOS so that the service's use outside of SMS regions is not supported, but that'd be a *big* deal for me.

Anders RundgrenNovember 29, 2004 8:40 AM

SMS eavdropping is a no-issue. The sent code must match the session that the user just has initiated. The eavesdropper needs to do a deep hack in the user's computer in order to use a stolen SMS code for authentication.

BTW, this is just the beginning! NFC will make the phone the smart card nemesis in only 5-7 years from now. With NFC costs goes to zero with respect to air-time. PCs will support NFC in the same time-span.

Clive RobinsonNovember 29, 2004 11:28 AM

Folks,

You appear to have slightly missed the point about SMS reliability and human nature,

1, If a system failes you one time in ten then
you get very very upset.

I would not put SMS delivery in less than 15 mins as good as one in ten for a one off message in somewere like London. SO an unreliable system is going to get the Bank bad press and be virtually still born.

2, Humans are very unreliable, they tend to
leave things at home unless they have a good
reason to carry it.

The German Banks have been issuing printed One Time Pasword lists for some time. Originally for significant transactions. They discovered that people left the list "safely at home" so they changed it to "for every transaction" and people tended to carry the list. I suspect that any token that is not multi-use and needed virtualy every day would get left "safely at home".

A mobile phone in the UK is owned by so many people that there are probably more people with mobile phones than credit cards. Also the coverage is so good that I doubt that you would find more than a couple of places where there is a cash machine where coverage was not allready in place.

Against an IVR system Piglet argues,

"And very cumbersome, expensive, and doesn't
scale well. But hey, why implement a relatively
simple solution if you can have it much more
complicated?"

I would point out,

A, nearly every bank has an IVR so no real
extra cost there or extra complexity.
Also IVR systems are sufficiently mature
technology that any issues / problems are
reasonably well understood.

B, As this system is for occasional large
transactions it does not need to be very
large so scaling issues are likly to be
minor.

Also it is easier to scale up and secure
an IVR system than it is a large scale
online Web based transaction system.

C, For a lot of people SMS is complicated,
however using an IVR is not (just very
anoying when you have ten levels to get
through).

D, A bank is going to get an extreamly good
rate out of a Mobile Phone Operator, so
the cost on that side whilst not zero is
going to be very small, probably less than
the postage for an OTP.

So for an occasional use large transaction system I would argue that the mobile phone has the following advantages,

1, Most people (in the UK) will have one
2, They are less likley to leave it at home
than any other system
3, The loss of the phone does not incure a
cost to the bank, and a user is likly to
report it lost and replace it very quickly
(unlike any other system that is currently
in place).
4, The cost of the initial setup to both the
bank and the users who would like to use
it is virtualy non existant.
5, It is likley to become very popular in the
UK and Europe quite quickly.
6, It's transaction costs are probably less
than dedicated secure Smart Card readers
and pin entry systems, and probably less
than the cost of postage for statements.
7, Unlike all the "Bio-metric" solutions that
have been considered it does not have overt
"Big Brother" feelings for the majority of
people.
8, It is likley to be reliable enough for
most people as the loss of the phone
service is going to be blaimed on the
Telco more than the bank.
9, If people leave their phone at home etc
they are most likly to blaim themselves
than the bank or it's system.

I would also say that,

1, Yes it is not highly secure, however in
Europe GSM is prevelant and it is likley
to be encrypted.
2, For some people handing over their phone
number would be a loss of privecy (but I
suspect for the majority it's not even an
issue).
3, Yes it is marginally more inconvienient.
4, Will it get cracked / spoofed / broken
yes but most Bank online systems have
and the banks and customers carry on
with them.

Do I think it will become widespread, in Europe I would say yes and fairly quickly it solves to many issues way to easily not to be of real interest to the Banks, and at low cost and comparitivly low risk. It might even replace the "smart card" credit/bank cards that are starting to come into the UK from France.

Oh and currently one of the only workable systems for micro payments involves the use of mobile phones. I suspect that the tie up between Banks and Mobile Phone Operators is going to increase, especially if they both have something to bring to the table.

One last thing, Piglet you say,

"It's really fun to read these pages,
especially the comments"

Yes it is when you can find reasoned well thought out arguments.

pigletNovember 29, 2004 6:08 PM

"The German Banks have been issuing printed One Time Pasword lists for some time. Originally for significant transactions. They discovered that people left the list "safely at home" so they changed it to "for every transaction" and people tended to carry the list."

I'm not sure what point you are trying to make. I have been doing internet banking with the PIN/TAN system since the late 1990s. Sure, I leave the TAN list at home at a safe place most of the time. If I needed to make a transaction from an internet cafe, of course I would have to take the list with me and be careful. I think customers understand that their TAN lists are valuable and shouldn't be lying around. They don't carry them unnecessarily. I haven't ever heard German banks complaining about TAN lists being carried around and lost.

"As this system is for occasional large
transactions it does not need to be very
large so scaling issues are likly to be
minor." I contend that this is exactly the problem. How can you call a system secure if it is viable only for "occasional large transactions"? How does that solve the problem of internet business security? ASB customer rediguana is now saying that the threshold of $2.5k should be increased for small businesses because the system is so impractical. In any case, attackers will have plenty of opportunity to rip off ASB customers.

pigletNovember 30, 2004 1:26 PM

Here's an interesting article:

http://www.celent.com/PressReleases/20030709/...

"European Banks spend on average two to three times as much per online banking customer on fraud prevention technologies compared to their American counterparts.

The annual amount lost to online banking fraud in Europe pales in comparison to the combined budgets banks devoted to prevention. European Banks continue to spend on prevention technology primarily because of cultural attitudes towards the perceived risk and the potential damage to the brand image from any fraud incident. (...)

Unlike the American market which predominantly uses a username/password combination to authenticate its consumers, European banks have deployed a great variety of strong authentication solutions to serve both corporate and retail users"

How's that? Any US bank manager reading this?

johnMay 31, 2006 5:14 PM

intersting how two factor auth has lost interest. The cell phone seem to me to be the only way to deliver a soft token. A little public co called Diversinet (DVNTF) in Toronto seems to have an elegant solution and some impressive partners. Does anyone have a solution that makes more sense?

Arnnei SpeiserSeptember 30, 2006 6:36 PM

ASB has been spending a lot of time and money on the SMS solution which by now has been withdrawn from marketing by RSA.

Another implementation is a New Zealand developed solution called the CAT (Cellular Authentication Token) which by now is installed in several companies including in the Banking area in Australasia.

Have a look at: www.catim.biz

The CAT TFA OTP suit is a Strong Authentication for both Intranets and Internet. Its advantages are in the ease of deployment which was specifically designed for mas services such as Internet Banking. It is also appealing for SMEs with its eAuthentication service and affordable prices.

DaveMarch 18, 2007 9:44 PM

Re: Two Facter authentication....I agree w/ you re: Diversinet. My company is evaluating them and their solution works great. Easy, relatively cheap and very secure. Much better than a token. Seems to me to be the future in 2 factor. What am I missing? Any comments?

DaveMarch 18, 2007 9:45 PM

Re: Two Facter authentication....I agree w/ you re: Diversinet. My company is evaluating them and their solution works great. Easy, relatively cheap and very secure. Much better than a token. Seems to me to be the future in 2 factor. What am I missing? Any comments?

JoeJanuary 7, 2013 6:34 PM

What is there to even argue about? Every single website dealing with anything important should be using an app on your phone making RSA tokens and they have your app serial number to uniquely ID your phone. I mean really someone stealing your phone on top of your ID/pass is way way harder then just the id and password. I mean seriously we know its not perfect but its a hundred times safer then nothing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..