Is Two Factor Authentication for internet banking a flop or success?

Q: Is Two Factor Authentication for internet banking a flop or success. read ard some articles regarding two factor authentication, studies shown that two factor authentication does not address some present issues and with man in the browser attack shown and also recent cases like ABN ambro, one may wonder is two factor authentication tat safe, would like to hear ur views on this guys

A: Hi …,
I agree with the previous answers.
2-factor authentication is more secure than password-only single factor authentication.
• Does it answer some security problems? Yes.
• Does it answer all security problems? No.
This is the fact. I do recommend increasing security levels to mitigate the risk (You can go up several factors but you cannot eliminate the risk)

If you have the second factor on a hardware (token, smart card etc) or biometrics it is even more secure. It is like the ATM card... You loose your PIN, no problem; you still have card in your pocket. You loose your ATM card, no problem; because you still keep the PIN. If you loose both of them, yes you have a problem.

Having 2nd factor on the same media (e.g. on your computer, or 2 passwords) is not as safe as tokens, smart cards etc.

During online transactions the problem of man-in-the-middle, man-in-the-browser threats can bypass 2-factor authentication but this does not mean that the financials should rely on static passwords only.

There are also a lot of creative “virtual” 2-factor authentication systems like Tricipher (more links in the DHS link below).

FFIEC :Single factor authentication methodologies may not provide sufficient protection for internet-based financial services; Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council

In financial sector, after the FFIEC requirements above, many banks implemented cheaper pseudo 2-factor systems (sitekey, captcha type) . Tokens/Cards are better but when the cost is the important factor, sitekey type systems increase security relatively. Mutual authentication systems are better but very difficult to manage (e.g. PKI). I like out band authentication a lot. When I try a high-risk transaction my banks sends a one-time-password to my cell phone.


Here are some links that may help:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
http://www.forrester.com/Events/Content/0,5180,1429,00.ppt#418,1,Slide 1
http://www.cyber.st.dhs.gov/phishing-dhs-report.pdf


Let me know if you have a specific question,
Cheers,
- yinal