HSBC new two-factor authentication system

Hooray for HSBC and their new security authentication system as described here: https://www.computerweekly.com/news/2240082853/HSBC-develops-new-security-authentication-system. I’ve noted in the past the downside of giving customers tokens to keep, look after and ultimately break or lose. Using the mobile phone is a good solution: nearly all of us have one and this method can enable 2FA into multiple services from the same device without burdening people with a pocketful of tokens.

I’ve been looking at a similar solution from a company called SecurEnvoy. This will send one time passcodes by SMS to a mobile phone. The passcode serves as the additional form factor for network access. I was reading here that T-Mobile are already using this system. Some will criticize, some already have. Ian Yip says I can’t help feeling that there’s a way to game the system and warns about losing your phone (see here). Fair enough point but it’s early days, it does mitigate risk to some degree and it’s up to you whether or not it’s enough. It’s the approach that I like, and so long as we acknowledge the weaknesses we can make a judgement on affinity to risk. Those weaknesses are:

– the mobile phone is not as good a second factor as a dedicated token

– if you’re caught in an area without a phone signal or a period of high network traffic then the token might not arrive

– a one-time password is going to be more vulnerable to compromise through phishing attacks where the captured data is sought for immediate use

There are other vendors moving into this area including Entrust (IdentityGuard) and i-Sprint (AccessMatrix). My bet is to couple this technology with something like OpenID and we’ve got a decent consumer single sign-on solution. Let’s see where it goes…

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I can't believe that we are still having this debate. The Swivel PinSafe system has been available since 2003 and has features which have been designed to deal with all the issues cited as reasons why not to use the mobile phone as the token. This includes what happens if the phone is lost or stolen and when their is no mobile signal. It just works and the only way that it can be compromised is if the user is duplicitous, so the banks alos have a perfect get out if there is ever a problem.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close