Monday, February 23, 2015

Why don't banks have two-factor authentication?

I'm typing this blog using a Gmail account. It is not enough for someone to know my password for this account.  They would need my phone to log into my account.

In the last few months, there has been a spate of passwords leaks and personal information leaks from online sites.  A simple solution for this is Two-Factor authentication.  It requires two distinct components: something you know, and something you have. Usually, you know a password: which is secret.  But you also need an object that is unique to you.  Sometimes this is a special electronic device that prints a very special number based on what was programmed into it.  Sometimes this is a cell phone that can receive text messages (so it is unique).  Sometimes it is a special app on your phone that generates numbers that are unique to your phone.  Even if someone watches you type your password, they don't have your special device.  So they can't log into your account.

Prominent websites have started developing support for Two-Factor authentication, to keep their users safe.  It is disappointing how few American banks support this. I stand to lose more if my bank password gets compromised than if my email account gets compromised.  Capital One promotes Multi-Factor Authentication. It sounds very distinguished, till you learn what it is.

This is from Capital One's page on Multi-Factor Authentication:

What is multi-factor authentication (MFA) and how does it work?
Multifactor authentication is an extra level of authentication for verifying a customer's identity and preventing unauthorized users from accessing financial information.
At enrollment you will set up a series of five security questions.  These questions do expire, so from time to time, you may be asked to update your questions upon signing into your account.  In this instance, you will be presented with a selection of five sets of questions. You’ll be asked to choose the five that are the most meaningful to you and to type in your answers.
You may be asked to answer security questions if our systems require verification that it is you attempting to access your account.  These questions are also used to gain access to your account in the event that you have forgotten your username and password. This is an added layer of security to ensure that the right person is signing into your online account.
If you wish to change your security questions, you can do so online. Just sign in to Online Banking, then click the My Info tab. Click the (+) sign next to Update my sign in information and select the Edit button next to the Security Questions section to update.

It is a couple of extra questions with answers that anyone can type out.  In addition, both the questions and their answers have to be stored on the server (perhaps in cleartext).  It isn't multi-factor at all: it is one factor, just more of it.  To add insult to injury, the questions are hilariously complicated, "What is the last name of your first boyfriend?"  If that increases security, I suggest this question for Capital One to consider for their next round, "What is the last name of your grandmother's first boyfriend?"

Six passwords instead of one don't make you safer.

Image courtesy: