The AP reports that U.S. federal regulators have sent
a letter to banks
saying they should go beyond passwords to two-factor authentication by the end of 2006.
There are all sorts of possibilities for what the other factor might be, from cell phone acks to a physical gizmo that
emits a code to use.
I’m betting banks will ask what your last payment for x purpose was.
Dan Gllmor reports a bank he used only a few years ago still used social security number as logn name.
He says:
I don’t keep much money at that bank anymore.
Banks are probably worried that more people will do what Dan did,
thus limiting their online reach.
-jsq
Two factor authentication in itself doesn’t cut it. It’s transaction authorization that’s needed: every transaction has to be authorized by two-factor authentication, possibly with one-time passwords (be they pre-shared lists of OTPs or on-the-fly generated ones).
This would make life for phishers so much harder (and it’s actually something that’s implemented all over Europe in a more or less pervasive manner).
Interesting. Tell us more about how it’s implemented in Europe.
-jsq