The Sad State of Two-Factor Authentication in U.S. Banking
Your tweets can be more secure than your savings account.
October was Cybersecurity Awareness Month, and I feel like my inbox was peppered with emails from banks that talked about how I should take more steps to secure my financial life. While reading these emails I was reminded of 2FactorAuth.org, a site I’ve visited in the past, but one that I don’t frequent all too often. The site keeps track of companies across all industries and what level of two-factor authentication they provide, if any, and what kind they offer. Two-factor authentication ensures that there is more than just a password that is protecting your account, to make it tougher to get into if the password becomes known to fraudsters. If you want to make sure that your Blood Elf Mage is safe in World of Warcraft, or that you email is fully protected in Gmail, you can set up software tokens on your phone that significantly increase the security of these accounts.
What’s conspicuous about the list is the amount of U.S. financial institutions that don’t provide any two-factor authentication, or provide weak versions through SMS text authentication. By my count all the largest banks only offer SMS authentication, and Woodforest National Bank is one of the few that offers enhanced options to consumers. Better move to Texas.
The term “two-factor” (or multi-factor authentication, sometimes shortened to MFA) comes from using more than one way to validate a user. Seems simple. There are three major authentication factors:
- Something you know: usernames, passwords, security questions
- Something you have: physical token, software token, phone, private key
- Something you are: thumbprint, retinal scan, FaceID
When you log into your bank account you provide a username and password, but these are both in the “something you know category.” Authenticating using two categories significantly increases the security of the site you’re trying to get into. Watch any spy movie since the 90s and you’ll see this concept on display. In the original Mission Impossible it took a badge ID (something you have) and a retinal scan (something you are) in order to get into the vault. So hard to fake it’s easier going through the vents.
SMS authentication isn’t enough
Many websites provide a form of two-factor authentication through SMS texts. Log into your account using a device that isn’t recognized and you’re sent to another page to wait for a code to ensure it’s you. You’re the only one that should have access to those texts, so it only seems right that this is a secure way to authenticate.
Except you might not be the only one that has access to those texts. The existence, and ease, of SIM hijacking had led the National Institute of Standards and Technology (NIST) to depracate the use of SMS texts as a valid out of band authenticator (and then drop that guidance, but still). Reply All, a podcast “about the Internet,” had a great episode (#130 The Snapchat Thief) on the weaknesses inherent on relying on SMS as a form of two-factor authentication. (Though it’s much better than nothing, and should be utilized on all accounts that have the capability.)
If texts can’t be trusted, what are the other options?
Hardware, software, and keys, oh my!
There are a lot of options these days to better protect your account, and they’re relatively simple for you to implement if the companies you work with support it.
- Hardware token — The first multi-factor device available to the masses. Based on predetermined values and mathematics, an end user is shipped a small device the size of a USB stick with 6 rotating numbers that match the same calculation on the server. Enter your username, password, and token, and you’re whisked into your account status screen knowing you’re the only one able to get in.
- Software token — This works similar to a hardware token, however an initial activation QR code provides your smart phone access to the magical rotating 6 digits. There are even additional features where the site can push an authentication request to your phone and save you the hassle of inputting numbers. Although it sounds similar to SMS authentication, the communication methods used for software tokens are much more secure.
- TouchID/FaceID — With the addition of biometrics in phones, being able to assert the “something you are” factor has never been easier. By utilizing the same functions you use every day to get on your phone, you can use phone biometrics and a PIN to get access to critical data, or authenticate to an app or website more securely.
- Security key — Physical cards and keys have been around in military circles for decades. Something that is kept on you at all time, and can be plugged into that super secure terminal that keeps track of ballistic missiles. But recently there has been a larger push with smart phones and browsers to allow hardware authenticators that we can all use. The largest player in this space is Yubico, the makers of the Yubikey, a unique USB and NFC device that can be used at an increasing amount of websites. Register it when you create your account and the site will ensure that you're the only “you” by validating you have the key attached to your computer or phone. The highest level of security.
However, security is a team sport
Hopefully you’re considering this a New Year’s resolution, but the fact of the matter is that if banks and other financial institutions aren’t offering these capabilities to their consumer banking customers, there’s not a lot you can do. What has long been available to commercial customers moving millions of dollars through wires and ACH transactions has not transitioned to lower value relationships.
Why? It could be for a multitude of reasons. Rewriting online banking systems, old-school mainframe backends, cost to value of rolling out protections for smaller dollar amounts, or lack of perceived demand. It could be all or none of these. However, taking a look at financial institutions in Europe demonstrates the capability and appetite are there for consumer banking.
The market will catch up once one of the big players in this space rolls out two-factor authentication to the masses. So it is important to educate yourself on more secure forms of protecting your money, and call your financial institutions and ask for more options. Fraudsters have unlimited tools at their disposal, and we should do everything in our powers to ensure that consumers have access to the tools necessary to protect themselves if they choose to do so.
There are still steps you can take
While your local bank or credit union might not take advantage of two-factor, there are plenty of websites that do. Google, Facebook, Twitter all use an authenticator app utilizing a soft token, as well as security keys. Take a look at all the websites you frequent and set up two-factor authentication once, and be prompted when using a new computer or changing settings. More importantly, fraudsters will be prompted, and thwarted, if they gain access to your password, keeping those tweets and emails safe.
I wish you a belated Cybersecurity Awareness Month. Get a password manager, change your passwords, set up two-factor authentication, and feel better about your digital self.
