Answer:
Several important items to consider include:
- Is the particular two-factor authentication system being considered for deployment truly two-factor? Two-factor authentication means that in addition to a user providing a password (something only the user knows), she must establish her identity through the use of biometrics (something only the user is) or by proving that she has access to an electronic or physical item that is known to be possessed by only the legitimate user (something the user has). Asking users for "secret information" (e.g., a mother's maiden name) in addition to a password is not two-factor authentication, it is two of the same factor. Furthermore, "secret answers" can often be obtained through public records accessible online and may provide a false sense of added security.
- Does the two-factor authentication system require re-enrolling all existing users? Re-enrollment of users can literally transform a one-week rollout into a tedious, expensive yearlong process, and can dramatically increase the true total cost of both implementation and long-term management. Technical or human-factor challenges during enrollment can cause users to grow frustrated and stop using the online system altogether.
- Does the two-factor system require users to carry security devices with them? Inconveniencing customers in such a fashion can lead to people stopping to use online banking altogether. Also, consider who will incur the direct and indirect expenses related to replacing lost or broken devices and replacing devices when internal batteries are depleted.
- Does the system require users to install special software on each of their computers? Many users are averse to installing software, others may be technically challenged, and still others may be locked out when they use handheld devices or other non-Windows computers or when accessing from borrowed or public computers. Also, who is going to be responsible for any software conflicts or technical problems created on users' machines?
- Does the system require users to make extra efforts to log in every time they use the system? Forcing users to undergo extra steps during every login attempt can frustrate people, generate additional load on your helpdesk, and lead to users stopping to use online banking altogether. Existing users have grown accustomed to - and expect - a simple login experience.
- Does the system perform mutual (two-way) authentication to combat phishing? Many forms of two factor authentication do not provide security from many forms of online fraud including phishing as criminals can ask users for one time passwords generated by/receive on security devices and then use these passwords for inappropriate access within a short time window. Mutual authentication involves authenticating the site to users in a fashion that it is obvious to users that they are communicating with the legitimate online banking site and not a phishing site.
print
share