HSBC new two-factor authentication system

Hooray for HSBC and their new security authentication system as described here: I’ve noted in the past the downside of giving customers tokens to keep, look after and ultimately break or lose. Using the mobile phone is a good solution: nearly all of us have one and this method can enable 2FA into multiple services from the same device without burdening people with a pocketful of tokens.

I’ve been looking at a similar solution from a company called SecurEnvoy. This will send one time passcodes by SMS to a mobile phone. The passcode serves as the additional form factor for network access. I was reading here that T-Mobile are already using this system. Some will criticize, some already have. Ian Yip says I can’t help feeling that there’s a way to game the system and warns about losing your phone (see here). Fair enough point but it’s early days, it does mitigate risk to some degree and it’s up to you whether or not it’s enough. It’s the approach that I like, and so long as we acknowledge the weaknesses we can make a judgement on affinity to risk. Those weaknesses are:

– the mobile phone is not as good a second factor as a dedicated token

– if you’re caught in an area without a phone signal or a period of high network traffic then the token might not arrive

– a one-time password is going to be more vulnerable to compromise through phishing attacks where the captured data is sought for immediate use

There are other vendors moving into this area including Entrust (IdentityGuard) and i-Sprint (AccessMatrix). My bet is to couple this technology with something like OpenID and we’ve got a decent consumer single sign-on solution. Let’s see where it goes…