Single-factor authentication (usually with "something you know", usually a password) is not particularly secure.
For banking, it is common to use two-factor authentication methods with "something you know" and "something you have", traditionally a combination of a card in plastic you have and a PIN you know. Older forms of online banking use TAN lists, and "something you have" is the paper list. Theoretically, you could argue that a TAN is something you can know, but in practice, no one carries in their mind a list of 100 TANs mapped to their current number.
Newer online banking is based on the fact that most people have a smartphone and use the smartphone as "something you have". Benny Skogberg described one way of doing it. What my bank does is allow me to register a mobile number with them and then send a valid mTAN for a single transaction to that number via SMS. This may be safer than a single factor, but it is not foolproof.
The problem is as old as security itself: two factors are always more complicated than one factor and usability is less. Only one factor is not particularly safe and frequently breaks when the thief has the right motivation (such as having access to a celebrity bank account or inbox). There are hundreds of ways to implement proper two-factor security, and most of them will have the same ease of use as your TAN plus online password list. No variation for mobile can have a higher usability and remain secure, by definition, because for a double factor:
- you must have a physical item that cannot be duplicated. You must have it with you whenever you want to access it.
- you must have information that is impossible to guess with high entropy AND it cannot be written or recorded near your physical element.
So you will still have to deal with the cognitive effort of remembering a long password or carrying an encrypted note on a note taking device different from the device you are using as a factor "something I have". Both versions are not very usable and very secure.
Examples of the insecurity of modern systems to almost two factors:
This becomes a factor if the phone browser saves passwords, which is the default setting, or if there is a banking app that does not require a PIN code when starting on a registered phone (which can be the case in the example of Benny Skroberg – I didn't get this detail). Imagine a thief stealing my phone, unlocking it by looking at the spots my finger left on the touch screen and starting the browser. If my online banking site is in the history and the password is saved, the mTAN is sent to the phone held by the thief.
There have been cases in Germany over the past year where fraudsters have requested a second SIM card with the same phone number from the victim's mobile phone provider and have it delivered to their own address. They could then do online banking from the victim's account using a phone with that second SIM card as a factor "something I have" (they got the password through phishing, the Trojans and other common methods). It works because the cell phone provider would accept a faxed request for a second SIM card without doing anything to make sure it came from the rightful owner of the cell phone contract. The victims never reimbursed anything because the bank said the mobile provider was responsible and the mobile provider said the bank was responsible.
By the way, the old paper TAN system would also not be secure for mobiles either, because if you carry a TAN list in your wallet, chances are that whoever steals your phone will also get your wallet.
Unfortunately, if you want to have something reasonably safe, you will have to give up a lot of usability. The banks seem rather ready to accept a compromise in terms of security.
Addition: there are actually three possible factors, not two. The third is "something that you are". Although it is considered to be more secure because it cannot be reproduced as "something you know", there is no commercially viable method for use in automated settings with technology. 39; aujourd & # 39; hui. Some solutions have been lost as niche technology for years and could become more widespread once they have reached sufficient maturity to be widely accepted, as tablets have done. For example, I have seen fingerprint readers in the wild. But they are not only expensive, nor are they precise enough. Face recognition systems are also known for false positives (show a printed photo of your victim on camera) and false negatives (imagine waking up with a swollen face due to a root canal infection and not be able to connect to the highly secure system). -because your health care provider’s privacy system). Voice fingerprint technologies are also easy to fool with recordings and will deny you entry if you catch a severe cold. Currently, a living person needs to confirm your identity by looking at the photo of your ID. We are probably stuck with the other two factors for online banking for many years, which is sad because a fingerprint reader is much more usable than having to take care of it. a plastic card or a fob for the generation of unique tokens (which is the modern and secure version of the TAN of the paper list).