The Bankwatch

Tracking the consumer evolution of financial services

Banks wary of two-factor model using tokens

 Here is a follow up to an opinion we voiced about the adequacy of two factor here, here, Citi tokens defeated here, and we questioned Barclays use of tokens here.

Just to be clear.  The issue is not two factor authentication;  the model that adds additional customer verification questions.  Two factor using tokens is the debate, and I am on the side of Alliance and Leicester and Egg, here.

More UK banks have expressed concerns over industry plans for a standard card reader to be used for authenticating online banking transactions.

Industry body Apacs is leading development of a standard model that could help to tackle identity theft by using a second means of proving customers are who they say they are.

But George Hazell, information security manager at Alliance & Leicester, says the bank is not entirely happy with the Apacs two-factor model.

“We are uncomfortable with the practicality of a card reader,” he said. “It is intrusive, it is easily lost, and there is an issue around when we are going to get the chip-and-PIN card in a position to adopt it.”

Source: Banks wary of two-factor model

Marsden at Egg goes on:

‘It’s a pretty expensive model, it is pretty clumsy from the customer perspective, and two-factor is not a complete defence against phishing,’ he said. ‘Citibank has already had its two-factor authentication model broken by a phishing attack.’

Finally, Lloyds have it right in my view, by going with a software solution such as Passmark, and hedging bets on tokens for later.  Passmark provides secondary verification questions, and also tracks customers PC(s), software and Internet access, resulting in risk scores, using their own algorithms.

Lloyds TSB is trialling a different two-factor system called Passmark, but a spokesman says it would adopt the Apacs standard model when finalised.


Written by Colin Henderson

October 11, 2006 at 21:59

%d bloggers like this: