Does your bank offer 2 Factor Authentication?

I am just curious if anyone has a banking institution that offers 2FA. I find it very sad that my particular choice not only does not have 2FA, but does not allow special characters in the passwords either. I haven't had to change my password in over 10 years!(I got my acct at 13 and have had the same pin and pw until I recently decided to overhaul my security preferences across the board)

Doesn't it piss anyone else off that, in most instances, your email has more security behind it than your money?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Jasiono

I have single factor authentication as well, something I know, but I have to know my username, password, the picture I chose when I log in and the phrase underneath it.

I also have to know a pin when transferring money. All of these things are still in the SOMETHING YOU KNOW category.

Special characters are allowed in my password. I use fliptext.org and type my password in there and paste it into the field on my banking website.

webgeek

I do with USAA but symantec has to fix their token app. I got so frustrated with it I took it off. The issue was that it wouldn't sync up as required so when I would put in my token info, it would say invalid preventing me from logging in.

USAA has always required username, password, and pin.

thegoodbye

My bank offers dual single factor authentication. Certain sites I log into offer triple single factor auth (always something you know). My most important account information is stored in Gmail, which is setup for dual factor authentication via password (something you know) and a text to my phone (something I have).

MiikeB

I don't worry about it, they are really good when things happen like cc gets stolen so I forgive who cares? If someone steals my money my bank will take care of me (navyfed)

prtech

I'm prompted for a number that they text me after I enter my password.

glenn_33

I know ATM's are two factor, but as far as online banking it's only single factor, at least for me...

southerne

I am satisfied and do not care such things.Online banking is good and more convenient for me.

paul78

The FFIEC which governs banks in the US released guidance in the summer of 2011 which outlines the need for multiple factor authentication. That's one of the reasons why a lot of banks are starting to implement those controls. Once FFIEC examiners start to add (if they haven't already) those controls as part of their audit plans, most likely it will be very rare for online banks to not have some level of multiple factor authentication.

For anyone interested in the FFIEC guidance - FFIEC Press Release

ptilsen

I have a couple banks that use two-factor when logging on from a new "location" (ie, browser cookie not detected). They typically do an email or SMS one-time password at this point. After that, the web browser becomes "something you have." Another does this but only asks security questions when it's a new location.

Ideally, I would like to see them all use OTPs via SMS or RSA fobs/apps (e.g. Battle.net authenticator). The status quo is okay, but an SMS or app system can protect a bank login in the event email is compromised, which is all but guaranteed if the computer accessing the bank site is compromised.

What I actually do not want to see is widespread use of biometric systems. My feeling is that biometric data hashes will be intercepted, cracked, and then get used to compromise other services, even with different implementations. Passwords and RSA seeds can be changed easily and need not be shared between services. Fingerprints, retinal scan, DNA, etc. cannot.

On a side note, ATMs are technically two factor but the implementation could be better. If the credit card data is discovered, it is not difficult to make a fake card. PINs are short and simple enough to be guessed easily in many cases. That is not to say the system could not be a lot worse, but there is room for improvement.

cruwl

I have a couple banks that have the image verification so you know youre not at a phishing site. I really like that and think its a good measure for not tech savvy people. As far as an RSA token or phone key generator I think would be a pain in the ass to have. I have atleast 7 different banking institutions, if I had to have a different token for each one that would be a huge pain.

bobloblaw

cruwl wrote: »

I have a couple banks that have the image verification so you know youre not at a phishing site. I really like that and think its a good measure for not tech savvy people. As far as an RSA token or phone key generator I think would be a pain in the ass to have. I have atleast 7 different banking institutions, if I had to have a different token for each one that would be a huge pain.

Truth. Imagine walking around holding a janitor key version of fobs. Painful.

About7Narwhal

While I think the fobs would be overwhelming, I see no reason why you could not provide an app or sms service. Granted, sometimes I get tired of PayPal or Google, but it only takes 5 seconds out of your time.

ptilsen

Agreed. Definitely don't want 7 fobs, or any, really, but an app or OTP delivered via SMS? Not a big deal. Even OTP via email is better than nothing.

wd40

I work for a bank, there is a plan to introduce 2 factor authentication.
A main reason for this is to shift the liability in case of online theft to the customer, as the customer would have to lose the device, pin and account details for the theft to occur.

TheCudder

The Credit union I'm with asks requires a user/name password of course and it's optional to create & answer 3 security questions after the user/pass has been verified --- i personally have it enabled for myself.

wes allen

Two factor is good as a baseline best practice, but, if the attacker owns your machine you are still hosed. And there is malware that will hijack your phone to intercept the text with your OTP. So, another part of a layered defense, but not without concerns. Check into Man-in-the-browser type attacks to learn more.

tpatt100

My bank requires an authentication code entered if you log into the site from a PC that you have not authorized which they send you via email or text.