NatWest, my bank here in good ole England has seen fit to beef up security for some aspects of internet banking by moving to Strong Authentication. Unfortunately, they haven’t seemed to have done the PR on this move as well as hoped. Most of the reaction I’ve read on the net so far has been people annoyed.
Strong Authentication, or multi-factor authentication is considered by researchers to be significantly more secure than using a single factor. A factor in this case is something that identifies a person, and factors are usually classified into 1) things a person knows, like a password or PIN, 2) things a person has such as a bankcard or keyfob built for this purpose, and 3) things a person is or does, like a retinal scan or fingerprint. So online banking, which only required the user to enter in username/password combo relied on a single factor, whereas the ATM uses strong authentication since the user is required to have their bankcard and know their pin.
So NatWest (and I guess other RBS banks?) are sending that ATM-style authentication home to users by sending each a small calculator-like card reader for use with their bankcard. It works pretty much exactly like the card readers in the grocery store, except that they give you a code online to enter in reader, and then the reader gives you a code to enter online. I, for one am pleasantly geeked-out to use it, and glad to see that NatWest is taking the security of online banking seriously by putting so much money and effort into getting it out to users.
I don’t think they’ve done a particularly good job so far of allaying people’s concerns. Lots of comments on blog posts are bemoaning the fact that they’ll have to carry the damn thing around with them—no, you wont. You’ll only need it to make a payment to someone online if you’ve never made a payment to them before. The readers are also entirely identical, meaning you can borrow your cubemate’s reader if he has his at work and you keep yours at home. But I’ve heard rumors that the big reason NatWest is beefing up security is because they’ll be cutting down the delay between making a payment and the recipient getting credited. It’s now about 3 working days, and apparently the plan is to make it happen in seconds. If true, that’s a really important new feature that NatWest could use as a way to introduce the readers: “We’re working faster to process your payments, but also means that we need to increase security.”
Finally, since the reader is just a standard thing (even readers from other banks will apparently work), I’m hoping either they’ll release software that works with laptop smartcard readers, or someone hacks it together. The security is in the microchip on the card, so putting the reader as widely available as possible shouldn’t undermine the system.