Strong Customer Authentication (SCA) gone mad - we need standardisation

mar7t1n

Strong Customer Authentication or 2 Factor Authentication is a wonderful thing to keep digital systems secure. And means the banks can now trust the instruction with a high degree of confidence which means they tend to do it rather than block you moving your own money and insist you call them. I know for sure even if someone finds my password, they still cannot access my account or use my card. But we need some industry standardisation on how it's achieved for everyone's sanity. Every bank now insists I download and install their bespoke authenticator app and set it up. For my main bank that's fine I want the app, but for accounts I'll setup now and leave for 1 year or more it's just OTT. The simplest systems are just sent me an SMS or call me with a code whenever I login. Google Authenticator is an alternative which stores all your 2FA codes in one place. Soon I'll need an app for every system I use - it could be hundreds.

The need for bank specific apps is a barrier to anyone born last century to setting this up, and means people feel forced into keeping their money with fewer financial institutions to avoid the authenticator app faff.

Mr Lewis we need a campaign to standardise and simplify or least insist the banks provide multiple ways of doing it so that you can choose the one which suits you best. It's simply good customer service. But the banks that provide that unfortunately don't pay very good interest rates.

RG2015

mar7t1n said:

The need for bank specific apps is a barrier to anyone born last centaury to setting this up, and means people feel forced into keeping their money with fewer financial institutions to avoid the authenticator app faff

Us poor old fogies over 23 will clearly suffer problems wherever we go. Lord knows what you think of me born over 7 decades ago.

In my favour though, I can spell century even without the useful spell checker on this site.

SiliconChip

I'm inclined to agree about the authenticators, I declined to open a Tandem account because they required use of their own authenticator (and as it happens the new YBS account pays more anyway - I can't have a Chase account as my phone isn't supported). I already have a Microsoft authenticator that I need for work, and I'd be willing to have a Google one too if it can cater for multiple apps, but banks insisting on their own authenticator seems to be overkill.

Unfortunately there is approximately zero chance of Martin reading your thread, if you really want him to take it up you'll need to contact him through another route.

Daliah

I don't share your concerns, or your view that different authentication methods at different banks force me to keep my money in fewer places. I am nearly 70 and have no problems using dozens of different apps and websites. I don't choose where I keep my money based on the login method but based on where I get the best returns, whilst keeping my money best protected against loss. 

The logical conclusion of your theory is that all financial institutions must use the same app / the same online banking, as processes like applying for an account, setting up a payee, making a payment, setting up a Standing Order etc are the same, and there isn't a reason for why they should use different technologies, designs and systems. The chances of any of this ever happening are next to none.

Daliah

SiliconChip said:

I'm inclined to agree about the authenticators, I declined to open a Tandem account because they required use of their own authenticator 

What Tandem authenticator?

TheWoodler

If financial institutions all used the same security/authentication processes, it would be like a skeleton key for criminals. That each has a different process is a good thing IMHO.

masonic

It seems the regulator had some concerns about it becoming a monoculture, so standardising on a particular method could run counter to their policy. There was a clear steer towards giving multiple methods for SCA, including something not dependent on a smartphone. Not all banks currently offer this, but an increasing number are expanding options. Something built into the app itself using push notifications is becoming increasingly common, this is going to be the safest option as far as banks are concerned. The only providers who use TOTP and are compatible with Google Authenticator and others are (as far as I'm aware) investment providers. I'd personally be delighted if push notification, TOTP, SMS and email were all offered as options and could be selected or disabled by each customer depending on their needs, but I don't think that's even slightly realistic.

penners324

In app authentication is vastly more secure than text message code. 
I'd prefer all banks did it through their app.

penners324

Daliah said:

SiliconChip said:

I'm inclined to agree about the authenticators, I declined to open a Tandem account because they required use of their own authenticator 

What Tandem authenticator?

Their own app.... but then it's an app only bank....

Zanderman

mar7t1n said:

The need for bank specific apps is a barrier to anyone born last centaury to setting this up, and means people feel forced into keeping their money with fewer financial institutions to avoid the authenticator app faff.

Doesn't make me feel forced to do that at all.

Indeed I (mostly) like the more secure systems via the apps.

And I am definitely over 23.

Daliah

penners324 said:

Daliah said:

SiliconChip said:

I'm inclined to agree about the authenticators, I declined to open a Tandem account because they required use of their own authenticator 

What Tandem authenticator?

Their own app.... but then it's an app only bank....

Exactly. You wouldn't have a Tandem account without the Tandem app. I can't see the added value of bolting on an off-the-shelf authenticator, or messing about with their existing, smooth, processing for the sake of standardisation