Does your bank support two-factor authentication?

[+Warwagon MVC]

I recently wrote to my bank asking for two-factor authentication. I would be happy if my bank would text my cell phone with a pin that I would use in combination with my login name and password. Apparently it got sent to the IT guy. So my question is, does your bank support two-factor authentication?

The 3 different types of authentication goes as followed

1) Something you know (Like a password, or something you type off the screen)

2) Something you have (Like a cell phone or some sort of device which generates a pin, which someone would have to have in their physical possession to log into your account)

3) Something you are (This would be where you would use a finger print reader, or have your eyes scanned)

[JJ_]

My bank has a lame two factor authentication. The second part asks for 3 words random letters from the secret key. Dont like the idea of authenticators. I would rather prefer them texting me a unique key each time I login.

[Hum]

My bank goes out of the way to keep me from logging in, but anyone boob with my Debit card number can rip it off in the blink of an eye. :crazy:

[CG-88]

three letters from a secret answer is what my bank does. I want the (i think) barcleys had a pin device you could use for online banking. That would be epic.

[+Warwagon MVC]

My bank has a lame two factor authentication. The second part asks for 3 words random letters from the secret key. Dont like the idea of authenticators. I would rather prefer them texting me a unique key each time I login.

I'm confused, are they asking for something you know or for something have? At the moment it sounds like just 1 factor, just something you know.

[CG-88]

Probably password then the next step is asking for three letters from an answer you have already provided them

So password

Give letter 1, 3, 5 of your secret answer

Authorised.

That is prob for online banking though.

[theyarecomingforyou]

My bank uses two-factor authentication for setting up new payees and changes to account settings but not for general online banking (transfers between accounts, viewing statements, etc). It's a decent compromise between practicality and security.

I would prefer banks used mobile more. In particular I would like to be notified every time money is withdrawn from an ATM or purchases above a certain amount are made. I've got an Italian friend and her bank sends her texts when a certain amount is withdrawn, which I think all banks should be required to offer.

[CG-88]

I know that is an option with some accounts but not all which I agree should be required "theyarecomingforyou"

And same, setting up payees etc they require a automated telephone call with a pin and all sorts for bank of scotland

[Noir Angel]

My bank has a lame two factor authentication. The second part asks for 3 words random letters from the secret key. Dont like the idea of authenticators. I would rather prefer them texting me a unique key each time I login.

That's what my bank does when I do an online sign in as well.

[+Warwagon MVC]

My bank does give you the option of alerts via email. But only a select few alerts. It does not let you set a dollar amount to be notified about.

For instance, I would like to sent an alert when a check / credit or debit is made on my account for $200 or more.

but what it will alert people about is if their tax refund arrived in their account :angry:

Hmm well I did just see where I can get an alert if my account falls below X amount of dollars. So I just turned that on and set an amount. I guess that's handy.

[Phouchg]

A physical key card of 72 6-digit codes for login, changing settings and some third-party online services, first 3 digits for confirmation of payments.

Not enough entropy for my liking. Also - three "strikes" and one has to go to the bank in person to unlock online banking again - which I've also had to do once due to taking the wrong key card and then wondering why it didn't accept the thing.

[jamieakers]

I bank in the UK with NatWest, they use 2 factor authentication in a sensible way. Barclays require you to use a physical chip and pin device every time you login, whilst secure it rapidly becomes a pain in the neck when you're out and about and need access - like that emergency purchase when you're at the office. NatWest only require you to use it when paying someone for the first time or when transferring large sums of money. I can cope with that!

[farmeunit]

One of my banks only allow 6-8 character passwords, and I don't believe they even allow special characters . . .

[+Warwagon MVC]

One of my banks only allow 6-8 character passwords, and I don't believe they even allow special characters . . .

My bank has a limit of 17 characters. The fact they have a limit at all is scary!

[Stokkolm]

Mine uses two forms of something I know. A UN/PW and then a PIN, also if it's an IP address I've never logged in with they as a Secret Question. Pretty good security without getting in my way very much.

One of my banks only allow 6-8 character passwords, and I don't believe they even allow special characters . . .

Capital One is this way...I really wish they would allow me to use a stronger password.

[JJ_]

I'm confused, are they asking for something you know or for something have? At the moment it sounds like just 1 factor, just something you know.

CW-88 explained it best, quote below:

Probably password then the next step is asking for three letters from an answer you have already provided them

So password

Give letter 1, 3, 5 of your secret answer

Authorised.

That is prob for online banking though.

I think banks need to up their game. The likes of Steam and Blizzard are providing better login security but I guess no bank has had their online security breached as bad as both these outlets.

[+hedleigh Subscriber²]

My bank requires the following when logging in online.

Access ID: A number provided by the bank.

PIN: A password that the user makes up for themselves.

Authentication Key: A random 6 digit number generated by a key generator supplied by the bank. Number is good for about 30 seconds before a new number has to be generated.

Not sure what else they could do. :)

[PNWDweller]

My bank (Locally owned), has sort of a two factor authentication they think will be best. You log in - and it cross checks against your IP, if it changes, then it sends you a 'pin' to authenticate yourself either to your cell or email on file. Once you enter the pin, you are good to go with just your regular password. Before that, they had a picture that you were supposed to recognize and if you did, answered the question about it and then your password.

Personally, would LOVE to see more support on sites for Yubikey authentication - super easy to do and quite secure.

[+Warwagon MVC]

Personally, would LOVE to see more support on sites for Yubikey authentication - super easy to do and quite secure.

Ya, I bought one when it first came out. I just don't know where it is...hmmm.

[Sandor]

my UK bank asks for a 10 digit number and then it'll ask me for 3 random characters from my set password and then for a random 3 digits of my cards pin number.

Canadian credit union asks for member number then it'll ask me for the answer to a security question. If I answer right it'll take me to a password page but it also displays 2 images I chose during signup to verify that the page is "true". Only if the images match should I enter my password.

Overall both institutions seem pretty secure. Never had any issues with fraud with either (touch wood)

I also have an account with another canadian bank and they just ask for debit card number and a password. If it detects that i'm logging on from an odd location or IP it'll ask a security question too.

[+Warwagon MVC]

my UK bank asks for a 10 digit number and then it'll ask me for 3 random characters from my set password and then for a random 3 digits of my cards pin number.

Canadian credit union asks for member number then it'll ask me for the answer to a security question. If I answer right it'll take me to a password page but it also displays 2 images I chose during signup to verify that the page is "true". Only if the images match should I enter my password.

Those "images" were defunked a long time a lot. The phishing sites would actually grab the "images" from the legit site and show them to you on the fake one."

[Sir Topham Hatt]

HSBC in the UK are ahead with this type of thing.

You have your log on ID and a password.

Then you have to input the six digits from their "Secure Key" device.

When turning on the device, it asks for a 4-digit pin number, then randomly generates a 6-digit number of which you have to input to get into the bank.

Hassle for when I am elsewhere, but I don't remember my log on ID so only log on at home where the secure key is.

Here's their link with a demo.

[bjoswald]

Not that I know of. But then again, I don't really care either.

[Ambroos]

It's not strictly two-factor, but it's as secure as it gets.

You enter your card number on the site (not a credit card, number is never used to pay), then put your card in a portable reader thingy and use that to scan an optical code on your PC display. Select what you want to do (logon/sign/buy), enter your PIN and then you get a response to enter on the web page.

To sign transactions or to buy stuff you not only have to enter your PIN number on the reader but also the (total) amount. Pretty much secures you against malicious spoofing of your transactions. I consider this to be extremely safe and you don't have to remember any passwords.

[neo1911]

Mine uses a random generated 8 digit password which is send to the registered mobile to authenticate any online payment.

The bank also has 3 passwords.

1) Login

2) Transaction

3) Profile

Login password needs to be changed every 2 months.

So to complete any online payment, I have to know 3 passwords. Login, Transaction and the password sent to mobile which is valid for 1 hr.

Pretty decent.