I’ve noticed that nearly all banks don’t support strong two-factor authentication. They either allow access with only a username and password or do two-factor authentication through SMS, which isn’t best practice according to the National Institutes for Standards and Technology (but still better than nothing). In the United States, a similar thing has gone on with out EMV rollout, with the vast majority of credit card issuers only issuing chip-and-signature cards instead of chip-and-PIN. On top of that, the signature requirement has since been removed, although not all retail locations are up-to-date.
On my e-mail and social media accounts, I can secure them with both time-based soft tokens or a hardware token (in my case a YubiKey). That’s good and important because a loss of control of my primary e-mail would be a catastrophic cybersecurity breach. However, it seems to me like some things like my bank and retirement accounts could benefit form similar levels of security.
Banks make money from you using your card. They want to make it as easy as possible for you to use your card. That’s why the US upgraded to Chip-&-sig instead of Chip-&-PIN. It’s easier for the consumer. Less hassle remembering (one less) PIN. Less hassle & less bank call center staff if you don’t need to deal with constant PIN resets.
If you have two cards in your wallet & one is easier to use, which is the consumer going to use?
The answer to your question is basically the same; banks want to make it easy for consumers because if they make it hard, some other bank will end up with those customers.
Not everyone has a cell phone, not everyone texts, not everyone has their cell phone physically on them when they want to log into their bank. It’s more work for the bank & makes for less happy general customer base to do such.
While I’m not going to do something stupid like list my password here, I know that if my account gets compromised, I will get my money back. Why should I want to go thru an extra security step every single time I log in just to prevent a potential headache later on?
What banks are you interested in?
Wells Fargo, Chase, Capitol One, Citi offer 2FA.
It looks like about 1/2 of the listed banks offer some kind of two factor authorization.
Reminder: the OP is asking about stronger 2FA than SMS messaging.
In order for something like a hardware dongle-based system to be interesting enough for a bank to use, it would have to be something on the order of a unique universal standard. Competing systems, lack of standards, etc. all impede progress here. Throw in the drawbacks of a device that can be lost or stolen or just flat out left in your other pair of pants and good old user name/password looks pretty good.
Last summer my (small, local) bank posted a sign requiring anyone entering the door to remove hats, sunglasses, etc. I laughed and removed my hat and sunglasses, but predicted it would not go over well with their average clientele. They took the sign down three weeks later. My usual teller told me there was an outrage.
Both MicroSoft and Google have Authenticator apps that work off the HOTP and TOPT standards. The Authenticators never actually communicate with the server on the other end (a shared secret is used for initial setup).
Both apps are free, and do not require a phone number. In fact they will even work in airplane mode.
Many sites will also allow you to remember a specific browser so that you are not required to authenticate each time you access the site.
I would also add that many banks/CU’s are securing their online and mobile banking platforms with more than just your userID and password and MFA challenges like a one-time password or pre-arranged security questions. The objective is to minimize friction for “good actors” accessing the services while still providing effective fraud prevention measures against “bad actors”. That you see a one-time password challenge does not mean that is only defense in place, there is typically a multi-layered approach being deployed. Device finger printing and device ownership validation, geo-IP data, behavioral analytics, etc., are typically behind the scenes to provide more robust authentication of the customer accessing the secured site and to reduce the need to depend upon MFA challenges where possible. That said, there are certainly a large number of financial institutions doing just the bare minimum to meet regulatory requirements or they lack the technology resources/budget to continually deploy the latest protections.
A bank or CU could require I authenticate every time with a hard or soft token but frankly I’d not be customer of that bank or CU for long.
Typically your Terms & Conditions and Privacy Policy for online/mobile banking will cover this topic. There will also probably be Telephone Consumer Protection Act (TCPA) disclaimer in the T&C’s where you’re granting them permission to deliver SMS text messages.
Outside of reviewing your specific institution’s T&C’s and Privacy Policy I would say in my general experience most FI’s will share your information with 3rd parties and affiliates as needed to provide you with the online/mobile banking services. For example, they may share information with 3rd party providers to deliver bill payment or other payment services and in order for those 3rd parties to perform their responsibilities under the online/mobile banking services you receive. Generally speaking they’re not selling your information to unrelated 3rd parties for the purposes of marketing/sales.
Exactly this. I’m talking about something like a YubiKey. I have one on my keychain that I use for 2FA for services that support it. It would be nice to have the option to use it with banks, etc when logging in from an unknown browser. Standards probably have a lot to do with it, but maybe the recently finalized WebAuthn standard will help speed adoption.
A link is only as strong as the least paid employee.
Having worked a lifetime with people who are, shall we be charitable and say “less than honest,” I can tell you bank employees make nothing, and have no incentive to protect your account.
You’d be shocked to see the low level, day to day employees that have complete access to all your financial information. The vast majority of problems result from this, not from anyone hacking your account.one
I work a lot with hotels and over 20+ years have seen first hand, minimum wage employees harvesting numbers, ss# (job applications) and so on and so on.
Yet everyone thinks it’s the hackers in Russia when it’s the minimum wage clerk at the Hyatt or Walmart that is your biggest problem.