Online banking using two-step authentication

Victor_Delta

I would like to increase my online security when I do online banking by logging in using two-step authentication by means of Google Authenticator.

Does anyone know if any UK banks provide this facility and, if not why not, since this is now such a well established and simple means of increasing online security.

grumbler

Most UK banks require more than just username and password for logging in. The only one I know with 'one-step' authentication is Santander.
Also, the majority of banks have extra security measures in place at least for setting up a new payee.

securityguy

Unfortunately, the banks have found that the main effect of providing additional security is that middle-aged whingers complain about it while simultaneously complaining about how insecure the Internet is and how they're going to have their money stolen.

So for the sake of a quiet life on the complaints line, the banks use weak security on login and then use two factor on setting up new payments, which at least has the advantage that as the aforementioned middle-aged whingers are still too busy talking about how all they ever use is cheques they aren't affected by it.

So the result is that I have Google authenticator (or equivalent) on iCloud, Dropbox, Gmail, Facebook, Paypal, Ebay, Twitter, Lastpass and the uncle Tom Cobley and all app, while my bank relies on "pick three characters from your memorable information". Mostly because the middle-aged "oh, I can't be bothered with that" whingers win over decent security practices.

securityguy

"Most UK banks require more than just username and password for logging in."

But the key point is two factor, not two step. Authentication is some mixture of something you have (tokens of various sorts), something you know (passwords and PINs), something you are (biometrics). Two factor is using at least two of them. Biometrics are difficult for Internet banking because it's tricky to prove "freshness" and "liveness" when the sensor isn't supervised. Not impossible, but tricky. Something you know is easy to do, but easy to intercept. So we're left with something you have, which are various tricks to prove ownership of a phones, card, Vasco tag, Yubikey and so on, combined with a password.

Which is fine for the (relatively) low-threat environment of internet banking, but appears to meet huge resistance from bank customers.

grumbler

OK, I stand corrected with regard to signing in, but my second point stands that it's two-step authentication for all important current accounts actions.

YB <£300is the only one current account with one-step authentification for <£300 among my accounts. Possibly, Cahoot as well that I haven't used for a while.

Victor_Delta

securityguy wrote: »

...So the result is that I have Google authenticator (or equivalent) on iCloud, Dropbox, Gmail, Facebook, Paypal, Ebay, Twitter, Lastpass and the uncle Tom Cobley and all app, while my bank relies on "pick three characters from your memorable information". Mostly because the middle-aged "oh, I can't be bothered with that" whingers win over decent security practices.

Yes, but all these websites give one the option for two factor authentication, it's not mandatory so those users (whatever age they are) who don't want the extra complexity can decide not to use it if they wish.

That's all I'm asking the banks to do and I really still can't see why they don't!

ChiefGrasscutter

Try Barclays
At one point you had to initially part-log on with some details and then as the next stage you put your debit card into a card reader and entered up the pin and then entered up the response code into the website - or something similar.

You can imagine how this lot went down with the moaning customers!
Not well

Now as I recall you can either log on with the full procedure as above and have full access to your accounts or log on with limited access to do only certain things within the site with only a username /part password....from my memory.

ryan121

grumbler wrote: »

Most UK banks require more than just username and password for logging in. The only one I know with 'one-step' authentication is Santander.
Also, the majority of banks have extra security measures in place at least for setting up a new payee.

Santander do use two factor authentication now. I find it more convenient as well as a text is sent to your phone so there's no need for an app or code generating device.

From what I know halifax just uses a username and password! :eek:

Huskyrunner

it didnt go down well with customers but it cut online fraud 99 percent 😉



[/I]

ChiefGrasscutter wrote: »

Try Barclays
At one point you had to initially part-log on with some details and then as the next stage you put your debit card into a card reader and entered up the pin and then entered up the response code into the website - or something similar.

You can imagine how this lot went down with the moaning customers!
Not well

Now as I recall you can either log on with the full procedure as above and have full access to your accounts or log on with limited access to do only certain things within the site with only a username /part password....from my memory.

securityguy

Victor_Delta wrote: »

Yes, but all these websites give one the option for two factor authentication, it's not mandatory so those users (whatever age they are) who don't want the extra complexity can decide not to use it if they wish.

That's all I'm asking the banks to do and I really still can't see why they don't!

The problem for banks would be writing terms and conditions to cover different customers having different security procedures. Would people who opted for two-factor be held to higher standards (ie, harder to get money refunded)? Hmm, that doesn't sound like an incentive. Would people who opted for two-factor be held to lower standards (ie, easier to get refunds, ie, harder for those using one-factor to get refunds?) That's going to cause a riot, because the people who would whine about being told to use two-factor will whine all the more about being effectively punished for not doing so.

So a few banks have made two-factor compulsory, but have had substantial customer resistance to it. It's not helped by the fact that they've mostly done it via card readers, with the fundamental security property being proof of ownership of a debit card and associated PIN, which means that people are stuck with a card reader rather than (say) a Smartphone App or a Vasco tag. There's also not been much evidence, at least not published evidence, that those banks have lower levels of fraud, or at least, low enough to pay for the project costs and the customer grief. It's all a bit of a shambles.

My gut feel is that in fact most "password theft" online fraud is actually caused by people giving their credentials to their partners and children, and therefore two-factor doesn't really alter the risk equation. After all, look at all the people who know their spouses PINs, and talk not only about doing online banking for their partner but about doing the shopping by taking their partner's card. Look at all the people who apparently know their partner's and children's PINs for phones, too. If the main threat actors in contested payments are other residents of the same house (I don't know, I'm guessing) then why would two-factor improve matters?

ChiefGrasscutter

For your amusement on how MSE posters REALLY view increased bank security

Barclays introduces the card reader in 2007
6 pages of moans
http://https://forums.moneysavingexpert.com/discussion/570546

HSBC introduces a dongle in 2011
another 4 pages of moans
https://forums.moneysavingexpert.com/discussion/3296224