Skip navigation

Two-Factor Authentication, Financial Firms, and You

With social media, Bitcoin, and SaaS companies seemingly dominating two-factor authentication adoption, it's easy to feel like the financial industry is trailing far behind with regard to security features. Let's take a look at what's being said about this situation and if we can find a little bit more hope for a future where financial customers are being protected by more than just a password.

Asking for Security May Not Be So Easy

Earlier this month, Ron Lieber wrote a great overview of some of the struggles and lackluster realities that consumers face with larger financial institutions around the concept of two factor. In his article, it becomes quite clear that just trying to understand if a bank or investment company even offers increased authentication security is a tricky road. Of specific concern, he notes that one bank actually used to provide two-factor authentication via token, but stopped due to an apparent lack of demand.

Ron's experience is not surprising at all. During my research on end-user authentication security, financial organizations took the majority of my research time when it came to determining their authentication security offerings. Even when I had scoured Google enough to find an answer, it was usually a riddle as to which account types were allowed to enroll and how to do so. Frustrating doesn't begin to explain the process of trying to be secure with most financial firms online.

My and Ron's experiences are really, really concerning. If a banking organization actually shuts down a program to offer improved authentication security due to weak demand, I'd ask two questions that I think apply to all financial firms.

  1. Is the process to find information about and sign up for two-factor authentication easy for your average customer?

  2. Are the method(s) that you provide to achieve strong authentication free and easy to use for your customers?

If the answer to either question is "no," then maybe it's not a demand problem that crippled that institution's 2FA program but rather the program itself not being viable as implemented.

Confusion Everywhere

In the comments' section of Ron's article, a poster wrote:

Despite the listing here of BofA as a company without it, I have had two-step authentification with them for a couple of years, at least what I assume is such. I log in with user ID and then get a screen that shows me a picture I chose and recognize. If that is correct I give them my password. I thought this was supposed to be ultra secure.

This is a great example of the misunderstanding that surrounds what authentication security even looks like. Showing a user a picture is not a form of two factor because that is still a "knowledge" factor. That's to say, typing a password is something you know and identifying a picture you had previously chosen is also something you know. The reason why organizations do this is actually to help you spot a phishing attempt against your account and not to add more layers to the actual authentication process in any meaningful way.

Further, because most people who had professionally used two-factor authentication in the preceding decades likely did so with a hardware token on their keychain, they may be slightly jaded about signing up for two factor when offered. These days, of course, there are many user-friendly ways to achieve roughly the same goal. SMS is gaining popularity and mobile applications that generate one-time passwords are quickly becoming the way financial firms are providing customers a means to accomplish two-factor authentication. While that's certainly better than a hardware token on a keychain, they still suffer from similar attacks.

Not All Two Factor is Created Equal

Let me be clear: any type of properly implemented two-factor authentication is much better than offering no solution. That said, there's certainly better solutions that not only secure users more effectively but also help adoption.

Last year, CSI selected Duo Security as their two-factor authentication solution for partner organizations to utilize. CSI is a company that provides a banking platform to over 140 financial institutions. As part of that, they gain the ability to have customers leverage our Duo Push technology which isn't susceptible to the attacks that "in-band" two-factor authentication (SMS, OTP, hardware tokens) is. Out-of-band two-factor authentication has really allowed 2FA to reach a whole new level of security for consumers.

Technology such as Duo Push allows consumers to use their existing smart phones with a simple (but powerful) application to provide better authentication security. Because the enrollment process is self service, people can enroll without having to call any support hotline or making involved purchases for hardware tokens. Lastly, this technology also provides a built-in method to report fraud which can help financial organizations spot a targeted attack more easily.

When in Doubt -- Verify!

In a follow-up blog post about Ron's piece, Michael Horowitz wrote:Duo transaction demo

Two factor authentication does not protect a computer infected with malware.

Michael's point here is that once a machine has been compromised, protecting the authentication process becomes moot because the attacker is already inside your browser. This is a salient point and often one that makes people nervous. There's a missing point from his article, however, which is that a proper authentication platform should also be capable of what's known as transaction verification.

With transaction verification, you effectively make a user authenticate the action they are taking. Consider a financial transaction where a user wants to transfer $10,000 to another person's account. If this is a criminal who has control of your machine, two-factor authentication has been hindered in its purpose. By requiring an out-of-band transaction verification (still using Duo Push) to be accepted by the account owner, even a clever attacker can be thwarted from stealing funds from an account.

Not Everyone Has Green Fields

It's easy to become jaded by a lack of ease and availability for two-factor authentication with financial organizations. Keep in mind that many of the companies that you can utilize 2FA with are newer and don't have the the regulation or technical debt of a large financial firm. The good news is that the growth of two factor adoption is quickly on the rise across sectors and organizations are making it more available and easier to use than ever. Be vocal about security to your financial institutions and use their features when available to show that customers do care.

As phishing seems to only be increasing and attackers are using malware more than ever to get a leg up on consumers, it's worth considering taking advantage of 2FA where able and try and encourage those around you to do the same. It's a constant battle online for security so don't be an easy target!

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.