I was just reading this article on myOpenID CallVerifiD regarding using phone authentication for online log ins. This made me wonder why the mobile has not become a more common authentication factor.

I’ve talked to too many people who have said that online banking has two factor authentication because you “have” the user name, and “know” the password. This is complete bunk. You “know” both of them, which leaves most online banking logins as single factor, multi-layer solutions. Compare to the ATM card and PIN – you “have” in physical possession the ATM card, and you “know” in your mind the PIN. This is two factors, and you can’t get cash without both. Of course there are white card/skimming schemes of encoding a fake card with legit info, but that doesn’t change the context of multi-factor authentication – there are still have and know components.

As the prevalence of mobile phones has grown over the last decade, it seems nearly everyone has one (or two!), and certainly, nearly everyone prone to using online banking has a mobile phone. So, why hasn’t using the mobile phone become a key part of financial institutions’ approach to implementing FFIEC guidelines on multi-factor authentication?

The most simple answer is that the average online banking transaction (balance inquiry) doesn’t require two factor authentication, and the hit to consumer convenience isn’t worth it. But I’m not satisfied – I’ve yet to see an online banking property that applies vastly different authentication strategies to different sorts of online interactions. I’ll take myself as a use case – I’d be pissed if I needed to respond to a text message every time I logged in to online banking, I’d even be frustrated if I had to do so for every transfer between accounts I own. But, I wouldn’t mind if I had to for transfers to outside accounts. Yet, I haven’t seen or heard about any financial institutions requiring different levels of authentication for different types of transactions. I’m sure someone is and I just haven’t heard about it – let me know in the comments – I can’t have an account with every FI

This all points to aligning security, authentication, and authorization methods to channels/transactions that present the greatest risk to the consumer and the financial institution. A balance inquiry is low risk, a person to person to transfer is high risk. We must authenticate and authorize appropriately for these things. I’d be more than happy to authenticate via SMS or IVR for P2P or P2B transfers via online banking, or for password changes, address changes or any number of infrequent high risk transactions.

The beauty of the multi-layer, multi-factor, multi-context approach is that the convenience need can be met while also meeting the security need. Inconvenience is increased as risk increases, and most consumers will accept this as they know/feel they are being protected.

I think this must be a systems problem in that online banking portals that are in place today just don’t have the flexibility to authenticate/authorize at enough levels to support the granularity required. What do you think?