2FA vs. Mobile

By Nicole Harlow

With a rapid growth in web enabled smart phones making internet banking via mobile ever the more popular, what has been the perceived impact on security and convenience when it comes to using Two Factor Authentication (2FA) devices alongside a mobile?

Security and internet banking

Internet banking is commonly done via computer in a controlled, safe environment where users have access to their details and if need be their 2FA devices. The vast majority of users will put up with a 2FA device as they promise higher security.

As mentioned in this post: ‘Two Factor Authentication’ with internet banking, security almost always wins over convenience. However in a recent piece of user research which looked at security within mobile internet banking, this was not always the case.

For users, being able to perform spontaneous and quick tasks on the go is highly desirable, however the 2FA device conflicts with the advantages and convenience of a mobile phone and adds to the items they must carry or remember to have with them. Personal security is also a major concern for users as many feel the device acts as an indicator of their activities making them feel vulnerable in public.

So what is the tipping point where convenience outweighs security within mobile internet banking?

We found that the additional steps and awkward interaction in an uncontrolled external environment meant that users felt the card reader was too strict for lower risk tasks such as checking a balance.

During more complex and higher risk banking tasks such as setting up a new payee, the 2FA device was deemed acceptable, however as these tasks do not need to be spontaneous and can be planned, this was not considered necessary to do on mobile. Tasks such as making a payment, lay somewhere in the middle of these two extremes and produced varying opinions on whether a card reader is necessary or not.

So should 2FA be compulsory for all mobile banking tasks?

As Tom Wood explains in his blog ‘Which? Weighs in on bank security’ we have to design for compromise between security and convenience when we think about the UX of bank security. 2FA devices don’t drive users away when on a computer, but they will function as a channel barrier if adopted across all tasks within mobile internet banking.

With the majority of users wanting to use their mobile for basic tasks such as checking their balance, it seems a hybrid approach (whereby memorable information is used for log in and 2FA is used for higher risk tasks) might be one such example of a compromise if banks are insisting on this security measure on mobile.

What do you think?