Two factor authentication

Internet banking security is a hot topic and a primary concern for both the financial industry and consumer alike.

We’ve done a lot of user research recently and found that fears centre around potential loss of funds, the personal intrusion and the inconvenience of having to deal with the problem.

Consumers expect banks to cover any financial loss and the experience of our respondents has certainly reinforced that.  Banks have therefore become obliged to cover losses to maintain good customer service.  The cost of preventative security has become cheaper than compensation and additional measures are now being implemented.

Enter the Token / Card-reader / PINsentry / Defender / Secure key device AKA two factor authentication or 2FA.  The point of the device is to generate codes on a device independent of the device accessing internet banking, making it almost impossible to hack.

So what are consumers saying about these devices? It essentially boils down to two things a) convenience vs. security, and b) behaviour. With internet banking, security always wins out.  The inconvenience of using a device is perceived to outweigh the hassle and personal invasion if accounts are compromised.

The net effect of 2FA implementation is a shift in behaviour:

• Frequent/confident users adapt – If the device is small and portable, it will be carried, if not, banking tasks will be restricted to the location of the device, typically home or work
• Unconfident users welcome the additional security (a commonly cited reason not to bank online) so migrate online (although tentatively)

In conclusion, 2FA devices don’t drive customers away.  Most, if not all, will adapt but make it easy for the frequent confident customers by providing a device that’s easy to carry i.e. it fits on a key ring or in a wallet.

08/08/11 sue said:

I've lost my bank's log-on device as it's tiny. Annoying! If other banks such as First Direct can manage internet banking securely without one of these annoying little devices, then why can't other banks? Call me a cynic but the fact that a bank has to issue customers with a security device, signals to me that the bank is not smart enough to sort out its security issues properly. I'm moving to a bank that doesn't use gizmos - First Direct.

09/08/11 Roger Smithers said:

Thanks for your comment. Whilst we acknowledge that 2FA is not a perfect system and can be difficult for users (in your case losing your device), some of the more thought-leading banks are engaging with customers through research to ensure their system is as good as it can be. In our opinion, 2FA security is an important device for banks in protecting against card cloning, identity theft and hacking, as home security measures aren’t good enough to prevent against external attacks outside of the bank’s control. Only a handful of banks have adopted 2FA to date but we believe others will follow.

18/08/11 Andrew Harder said:

Users now have to enter 35 characters across two devices to see their bank balance - I'm an HSBC customer and I really think this is a terrible solution. Your position seems to be that it is necessary for banks to provide 2FA for security reasons, but the HSBC SecureKey puts security at direct odds with usability. It not only increasing the effort required to access their account, but also requiring users to carry around a second device just in case they want to check their bank balance online. But I'm not clear what your conclusion really is here - is it that users found this experience positive? Or passable? Or aggravating but bearable? Did you study real usage and consumer feedback with a significant sample size? Or is this anecdotal feedback from a 10 user study?

19/08/11 James Dunmore said:

Just read the thread on this forum for how many people hate the hsbc device: http://money-watch.co.uk/8224/hsbc-secure-key 2FA - should be via an SMS code, whilst not THE most secure way, it certainly is convenient and very secure. The devices that banks are handing out - such as the HSBC device, are actually very hackable, they just give us a false senes of security. An SMS code (not a smartphone app), is not only flexible and helpful - it can be completely random, unlike the devices which have a pre-fixed security code pattern.

19/08/11 Mr Leo said:

I've just started using the HSBC device and it really is a pain in the arse. First I have to enter my 12digit ib code, then my secret word, then get the device, turn it on(it's not instant), enter a pin no to get access, generate the code to then enter online. My online banking usage has dropped dramatically because of it. I have to agree with Andrew and personally I only put up with it because I have to. I do appreciate that this is needed to combat hacking but there has to be another way. I'm no expert but how about a device with fingerprint recognition? One that uses your thumbprint to turn it on and automatically send authorisation?? That's probably very expensive but you get the idea, it needs to be quick. Right now if another bank provided that as an alternative to generating unique pin numbers all over the shop I'd jump ship in a second.