I just read a white paper from yet another company that was promoting Two-Factor Authentication (2FA) using SMS text messages. Although there seems to be an endless supply of these white papers (and companies) being churned out these days, I figured I would review it and see if there was something new.
The focus of the white paper was to reinforce the importance of safeguarding online accounts and eCommerce. Of course no one would argue with this. In fact, most would argue that the financial community offers almost nothing to consumers to proactively protect their online and off-line accounts. Most of the existing security solutions offered today are reactive and notify that you have been compromised after the fact, instead of preventing it. The new FFIEC Guidance addresses this by recommending (no mandate unfortunately?) that financial institutions take a more proactive approach to protecting consumers accounts using strong two authentication and/or out-of-band (SMS text message) authentication. Not a bad start. Certainly it is better than nothing. However, there are key issues which impact a large-scale rollout.
Firstly, out-of-band SMS authentication does not work for everyone. Not every consumer has SMS enabled. Often consumers are not in an area that has good cell coverage and cannot get an SMS text message. Occasionally cell carriers have network slowdowns and failures. What does a consumer do then? Are they not permitted to login to their account, or does the system fallback to single factor authentication? Two-factor authentication for an account is an all-or-nothing situation. Either an account is always secured with two-factor authentication or it is not. If the account can have two-factor authentication protection switched off, then you might as well not have it on at all and save everyone’s time, money and inconvenience.
Secondly, SMS text messages are not free. The company sending the SMS message will pay at least $.03-.05/text and that assumes that you purchase large blocks (> 500k) of text messages at a time. These charges can add up to a significant cost. For example, if a consumer logs in 3 times a day for one year then the cost would be roughly $4.00/yr. Add in the cost of calling customer service to get access when you are not getting SMS messages (do not forget the consumer frustration) and the costs rise to probably over $15-20/yr. Ouch. These are rough estimates and I’m sure someone will argue that consumers access their account less than three times a day, but with mobile banking and iPads the numbers are on the rise.
What does this all mean? There are better choices such as OTP display cards that can be issued to consumers. These electronic cards can be used just like the debit and credit cards that consumers use today for online and brick-and-mortar purchases. When the consumer accesses their online account they take the card out of their wallet, press the button and enter the number displayed on the card. Simple, convenient, promotes the brand and is cost effective. Perhaps someday banks will realize they can use the very same display card to prevent debit fraud!
What if the user does not have their card when they need to login to their account? They can get an SMS text message password of course! The perfect backup solution.