The Bankwatch

Tracking the consumer evolution of financial services

Two-factor authentication is not well understood

I worry about the perception created by HSBC and Abbey. Its assumed that two factor and tokens are synonymous.

The notion that HSBC and Abbey will become front-line targets for the fraudsters is supported by evidence presented in this paper, ‘Closing the phishing hole’, by Ross Anderson, professor of security engineering at Cambridge University.

Two factor requires that there is a second level of authentication, beyond, username and password. For sure I know Abbey have deployed Passmark- HSBC I am guessing, have, or something similar. Passmark uses the forensics of the customers computer as the 2nd factor. It works like a fingerprint, and is strong enough to be certain in identifying the customer. The bad guys know this.

On the other hand the technology exists to get past tokens.

My take – HSBC and Abbey National have made the right bet between customer inconvenience and bank risk.

Written by Colin Henderson

May 17, 2007 at 22:45

Posted in Security

6 Responses

Subscribe to comments with RSS.

  1. It seems we may not be looking at authentication correctly. If you had 4 factor authentication as a maximum security level why wouldn’t you then detail lower levels of authentication for lower levels of risk? Some people have a series of locks on their door fronts based on what they perceive as a risk.


    May 18, 2007 at 13:17

  2. I agree Gene, and ideally the security, and with it the ‘inconvenience factor” would only be required at the higher levels of need.

    My only point was in direct comparison of two factor, between PassMark approach vs token style. My reading of the situation is that token is not stronger because of the potential for man in the middle attack.


    May 18, 2007 at 15:39

  3. Internal controls- important as frontline security

    …talks not only about the different types of scams, like Phishing, but the importance of internal controls within financial services organizations that front end technical security supplements…

  4. Well I think no matter how you look at it two factor authentication is the best security there is right now and it’s only going to get better and become more popular with time. Of course if we sit around and dissect everything about we and those who would do harm will find kinks in the armor but we should focus more on the positive aspects of this kind of security.


    March 15, 2008 at 02:20

  5. […] here for my thoughts last year, and how two factor authentication is not well […]

  6. two factor authentication has long been misunderstood. Not only do most people not look at it correctly, but many others, especially those new to the technology expect far to much from it. TFA also has its many attractors who bash it for having been cracked. What successful technology out there hasn’t been compromised? I think the misunderstanding will fade however as the technology continues to prove itself and more businesses adopts it.


    April 11, 2008 at 00:14

Comments are closed.

%d bloggers like this: