- Page 1:The New Banking Factor: Online Security
- Page 2:The Current Crop
- Page 3:Single Factor Authentication
- Page 4:Single Factor Authentication, Continued
- Page 5:2 Factor Authentication Methods
- Page 6:2 (Combined) Factor Authentication
- Page 7:2 (Combined) Factor Authentication, Continued
- Page 8:In Conclusion
2 Factor Authentication Methods
The Bingo Card (Static Grid Card) is a 2 (Separate) Factor Authentication solution and is definitely a step up the security ladder. Look at the following and then I'll explain.
The user is first prompted for a username and password as normal. Then a challenge is received to derive values from the grid card:
Now we have a number of individual factors that determine a successful outcome. This fact renders it very resistant to phishing. The only snag here is administration - each time a set of co-ordinates is used, they cannot be used again or security degrades. This is further restricted by the size of the card, and the amount of data that it can contain.
TAN Lists Transactional Access Numbers (TANs) are considered to be a weaker form of grid card than the bingo cousin above. They are in the 2 (Separate) Factor Authentication solution category. A TAN list is a series of numbers of varying length (chosen by the creators) entered on a card.
A user might be prompted for details as follows (note that this example does not use the TAN list above):
Having entered a username (or number in this case) and password, the user is prompted to select a number from the TAN list and enter it. This is a popular solution in EU countries.
Mobile Phone SMS Passwords are another form of a 2 (Separate) Factor Authentication, in which one-off numbers are sent via SMS to your mobile phone when logging in. The user registers their mobile phone with the site, and at login time, the SMS message is sent containing a password or PIN. The user enters that unique data as a factor in the login process.
This service can be constrained by the ability of the phone carrier to route SMS messages through in a timely fashion, and to provide coverage to the location from which the user is connected to the Internet. Of course, there is also the somewhat relevant point that not everyone owns a mobile phone (surprising, but true!)