Two-Factor Identification Too Frustrating for Consumers?
Posted by Bruce Johnson
The Associated Press reports about federal efforts to require banks to demand "two-factor" identification from their customers. As Brian Wong noted recently, the Federal Financial Institutions Examination Council (FFIEC), an umbrella group that includes the Federal Reserve and the Federal Deposit Insurance Corp., has told U.S. banks to strengthen their online authentication procedures by the end of 2006.
The AP article notes that regulators' efforts to step up security have been stymied, and the proposals may suffer from the same "consumer overload" problem that Lance Koonce cited regarding the proliferation of passwords on September 27.
The article mentions some of the problems that financial institutions have had in attempting to persuade consumers to comply with stepped-up security requirements:
According to a June report from the FDIC, a handful of U.S. banks had given customers tokens with passcodes that change every minute. The codes are generated by an algorithm programmed into the token and confirmed on a central authenticating server, making the password impossible to guess.But tokens create their own headaches. They're relatively costly to deploy and can prompt lots of calls to customer service if they're lost or temporarily out of reach. Banks also fear a ''necklace'' scenario in which customers end up collecting an annoying strand of tokens from all the companies they do business with online.
Even one token might be seen as a hassle.
After ETrade Financial Corp. began offering tokens from RSA Security Inc. to its 2.8 million U.S. customers, only 20,000 signed up. Almost all those people could get the gadgets for free because they were frequent traders or had more than $50,000 in their accounts; everyone else had to pay $25.
The article lists other efforts that, some experts fear, may meet with similar resistance:
In one approach, encrypted electronic ''certificates'' could be issued that users would store in a small file on their computers. These certificates would confirm to the bank that the user is bona fide. In turn, a properly encrypted certificate would not respond to a Web site other than the one that issued it -- protecting the user as well as the bank.Banks also might ask customers to enter passwords on drop-down menus or ''scrambled PIN pads,'' in which an on-screen display indicates letters that correspond to the numbers in the PIN. That code changes every time.
. . .
Another software-based approach is Bank of America's SiteKey service. The bank's Web page shows each user a personally chosen picture and caption at the beginning of each banking session, and asks randomly chosen ''secret questions'' that users have set up in advance.
As the AP article suggests, these proposals may be "flawed unless many users are better educated about the constant arms race between Web sites and criminals. Social engineering, not technology, often is the real problem."
That is a real problem. Education of consumers about computer fraud has been outpaced by the phenomenal growth of internet cons. Indeed, even today, well-educated Americans fall for "phishing" emails and other scams. (A friend in Los Angeles recently told me of a 26 year-old school teacher, with an advanced degree, who had -- amazingly, to those of us familiar with privacy and security issues on the internet -- simply emptied her bank account at the behest of a Nigerian 419-scam spam.)
And what will happen when we get "two-factor" identification? Well, the crooks will adapt.
The AP story quotes Richard M. Smith, an Internet security consultant involved with the website ComputerBytesMan.com, who "says he expects phishers will send legitimate-seeming messages to dupe people into believing, for example, that their SiteKey picture had to be changed." Phishers, he suggests, "are very adaptable.''
