Does your bank offer 2 Factor Authentication?

About7NarwhalAbout7Narwhal Member Posts: 761
I am just curious if anyone has a banking institution that offers 2FA. I find it very sad that my particular choice not only does not have 2FA, but does not allow special characters in the passwords either. I haven't had to change my password in over 10 years!(I got my acct at 13 and have had the same pin and pw until I recently decided to overhaul my security preferences across the board)

Doesn't it piss anyone else off that, in most instances, your email has more security behind it than your money?

Comments

  • JasionoJasiono Member Posts: 896 ■■■■□□□□□□
    I have single factor authentication as well, something I know, but I have to know my username, password, the picture I chose when I log in and the phrase underneath it.

    I also have to know a pin when transferring money. All of these things are still in the SOMETHING YOU KNOW category.

    Special characters are allowed in my password. I use fliptext.org and type my password in there and paste it into the field on my banking website.
  • webgeekwebgeek Member Posts: 495
    I do with USAA but symantec has to fix their token app. I got so frustrated with it I took it off. The issue was that it wouldn't sync up as required so when I would put in my token info, it would say invalid preventing me from logging in.

    USAA has always required username, password, and pin.
    BS in IT: Information Assurance and Security (Capella) ETA 2013/Early 2014
    2013 Goals: CISSP [:cheers:] ITIL Foundations [ ] Project+ [ ] Linux+ [ ] CCNA (Maybe) [ ]
  • thegoodbyethegoodbye Member Posts: 94 ■■□□□□□□□□
    My bank offers dual single factor authentication. Certain sites I log into offer triple single factor auth (always something you know). My most important account information is stored in Gmail, which is setup for dual factor authentication via password (something you know) and a text to my phone (something I have).
  • MiikeBMiikeB Member Posts: 301
    I don't worry about it, they are really good when things happen like cc gets stolen so I forgive who cares? If someone steals my money my bank will take care of me (navyfed)
    Graduated - WGU BS IT December 2011
    Currently Enrolled - WGU MBA IT Start: Nov 1 2012, On term break, restarting July 1.
    QRT2, MGT2, JDT2, SAT2, JET2, JJT2, JFT2, JGT2, JHT2, MMT2, HNT2
    Future Plans - Davenport MS IA, CISSP, VCP5, CCNA, ITIL
    Currently Studying - VCP5, CCNA
  • prtechprtech Member Posts: 163
    I'm prompted for a number that they text me after I enter my password.
    If at first you do succeed, try something harder.
  • glenn_33glenn_33 Senior Member Baltimore, MDMember Posts: 113 ■■■□□□□□□□
    I know ATM's are two factor, but as far as online banking it's only single factor, at least for me... icon_sad.gif
    A+/N+/S+/CCNA:RS/CCNA:Sec
  • southernesoutherne Member Posts: 5 ■□□□□□□□□□
    I am satisfied and do not care such things.Online banking is good and more convenient for me.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    The FFIEC which governs banks in the US released guidance in the summer of 2011 which outlines the need for multiple factor authentication. That's one of the reasons why a lot of banks are starting to implement those controls. Once FFIEC examiners start to add (if they haven't already) those controls as part of their audit plans, most likely it will be very rare for online banks to not have some level of multiple factor authentication.

    For anyone interested in the FFIEC guidance - FFIEC Press Release
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    I have a couple banks that use two-factor when logging on from a new "location" (ie, browser cookie not detected). They typically do an email or SMS one-time password at this point. After that, the web browser becomes "something you have." Another does this but only asks security questions when it's a new location.

    Ideally, I would like to see them all use OTPs via SMS or RSA fobs/apps (e.g. Battle.net authenticator). The status quo is okay, but an SMS or app system can protect a bank login in the event email is compromised, which is all but guaranteed if the computer accessing the bank site is compromised.

    What I actually do not want to see is widespread use of biometric systems. My feeling is that biometric data hashes will be intercepted, cracked, and then get used to compromise other services, even with different implementations. Passwords and RSA seeds can be changed easily and need not be shared between services. Fingerprints, retinal scan, DNA, etc. cannot.

    On a side note, ATMs are technically two factor but the implementation could be better. If the credit card data is discovered, it is not difficult to make a fake card. PINs are short and simple enough to be guessed easily in many cases. That is not to say the system could not be a lot worse, but there is room for improvement.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • cruwlcruwl Member Posts: 341 ■■□□□□□□□□
    I have a couple banks that have the image verification so you know youre not at a phishing site. I really like that and think its a good measure for not tech savvy people. As far as an RSA token or phone key generator I think would be a pain in the ass to have. I have atleast 7 different banking institutions, if I had to have a different token for each one that would be a huge pain.
  • bobloblawbobloblaw Member Posts: 228
    cruwl wrote: »
    I have a couple banks that have the image verification so you know youre not at a phishing site. I really like that and think its a good measure for not tech savvy people. As far as an RSA token or phone key generator I think would be a pain in the ass to have. I have atleast 7 different banking institutions, if I had to have a different token for each one that would be a huge pain.

    Truth. Imagine walking around holding a janitor key version of fobs. Painful.
  • About7NarwhalAbout7Narwhal Member Posts: 761
    While I think the fobs would be overwhelming, I see no reason why you could not provide an app or sms service. Granted, sometimes I get tired of PayPal or Google, but it only takes 5 seconds out of your time.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Agreed. Definitely don't want 7 fobs, or any, really, but an app or OTP delivered via SMS? Not a big deal. Even OTP via email is better than nothing.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • wd40wd40 CISA, eJPT, MCP, MCTS, CompTIA x 6 Member Posts: 1,017 ■■■■□□□□□□
    I work for a bank, there is a plan to introduce 2 factor authentication.
    A main reason for this is to shift the liability in case of online theft to the customer, as the customer would have to lose the device, pin and account details for the theft to occur.
  • TheCudderTheCudder Member Posts: 147 ■■■□□□□□□□
    The Credit union I'm with asks requires a user/name password of course and it's optional to create & answer 3 security questions after the user/pass has been verified --- i personally have it enabled for myself.
    B.S. Information Technology Management | CompTIA A+ | CompTIA Security+ | Graduate Certificate in Information Assurance (In Progress)
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Two factor is good as a baseline best practice, but, if the attacker owns your machine you are still hosed. And there is malware that will hijack your phone to intercept the text with your OTP. So, another part of a layered defense, but not without concerns. Check into Man-in-the-browser type attacks to learn more.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    My bank requires an authentication code entered if you log into the site from a PC that you have not authorized which they send you via email or text.
Sign In or Register to comment.