Tuesday, March 1, 2011

Multi-factor authentication means more than knowing an answer

My bank is a great little hometown bank.  I like it for its convenience and that it is local.  The other day, I went to log in to check a deposit, when I noticed a link on the login page that said "Multi-factor Authentication."  I thought "wow, I would love to add a factor to my login."  Currently, my bank just uses username and password.  So, I clicked the link to learn more about their multi-factor login options.  It turns out that if you want to use full-time multi-factor login functionality, you answer an extra question.  That's it.  Yes, you have to answer it exactly, numbers for numbers, punctuation, etc.  But that's it.  I was hoping for a one-time token, or an option to text me a one-time password.

To me, and I guess the classical definition, multi-factor authentication is made up of:
  • Something the user knows (passwords, PINs, etc)
  • Something the user has (ATM card, CAC, etc)
  • Something the user is (biometrics, eyes, fingerprint, voiceprint, etc.)

As I mentioned above, right now, my bank uses a username and password to log in.  That's something you know.  Adding a question that the user "knows" the answer to is not adding a new authentication method.  That answer is still something you know.

I'm trying to get in touch with someone at the bank to see if there are other options supported or if there are any plans to add a second factor.

No comments:

Post a Comment