With odd serendipity, this came up at the recent Mobey Forum meeting in Helsinki. While watching a demonstration of Nokia Money, I got a text message from my son who was in London visiting his girlfriend and had run out of money. He asked me if I could send him £10 to get a train home. I was forced to reply that I could not, because we live in the UK and not in an advanced country such as Kenya, where phone-to-phone money transfer is commonplace. I fired up my iPhone and went to the Barclays page, only to discover that I couldn’t log in and send him some money because I don’t know my 12 digit user code (or whatever it is called) and I didn’t have my dongle anyway (it was back home on my desk). (In case you are worried, the day was saved because he was able to go back to his girlfriend’s house and borrow the money from her parents.)
Now, this demonstration of the utter hopelessness of mobile financial services in the UK took place under the watchful eye for Mobey Forum executive director Liisa Kannainen, who promptly showed me how she had responded to an earlier, similar, request from one of her children…
Yes, she still uses the same paper-based Nordea Transaction Authorisation Number (TAN) system introduced in Finland for remote banking years ago, And it still works fine. So to send her kids money, she logs in on the phone and is prompted for the next TAN. She types it in and then crosses it off. Works perfectly. And she always has her TAN list with her in her purse, whereas as I never have my dongle with me away from home.
What I do have with me all the time is, of course, my mobile phone. As do almost all of the population. Surely it would make sense for both Nordea and Barclays to move to some standard mobile phone-based 2FA scheme. And then we could move to a standard set of authentication “levels”. For small transactions, just have the phone. For larger transactions, enter PIN into the phone. For very large transactions have the take your voiceprint, then enter a PIN. Something like that. And if we could use it log in for banking, then why couldn’t we use it to log in for other things as well
I saw some perceptive stuff on this from Jan Chipchase writing over at the CGAP blog.
Not all transactions are created equal: the very last dollar in your wallet has a higher value than when there’s a stack of notes; an online transaction completed at home has different security implications than one completed in an internet cafe. Service designers have long recognized the need for extra checks and balances for ‘risker’ transactions – and these are typically reflected by levels of authentification. From a user’s perspective we’ve found it useful to frame transactions in terms of thresholds of concern and thresholds of alarm.[From Mobile banking: Threshold of concern, threshhold of alarm and the zone of comfort]
I rather like that bounding. Below the threshold of concern, security features, PINs, confirmation messages and so on are simply annoying. Provided that the transaction is accounted somewhere, there’s no reason to interrupt the customer at the point of service: a good example of this might be in-game purchases, where once I’ve logged in to SimFarmSubsidy, or whatever, I can click to buy a field of oil-seed rape for $1 without having to enter my CVV. Above the threshold of alarm, the consumer needs more than two-factor authentication, they need information, confirmation and comfort: I can well remember the “granny clicks the wrong button and buys a house” discussions from my time in various e-commerce standards meetings.
For the run-of-the-mill transactions in the middle, the “typical” transaction that we think about in the context of EMV, 3DS and the like, 2FA is adequate and it seems that the risks associated with the transactions can be managed reasonably well (otherwise issuers would have long since gone out of business). I clearly not the only one who expects the mobile to dominate in time. Using SMS to deliver one-time passwords (OTP) has already become a popular kind of almost-2FA. A good example is Entrust’s IdentityGuard service.
To help organizations fight the persistent advance of fraud techniques, the platform’s out-of-band authentication capabilities have been enhanced with the inclusion of one-time-passcode (OTP) SMS soft tokens. This new feature enables organizations to send a configurable number of OTPs to a mobile device for use during authentication. Automatically replenished as needed, this dynamic soft-token approach delivers the strength of out-of-band authentication without the concern for constant network availability, delivery timing or software deployment to a mobile device.[From Latest Entrust Versatile Authentication Platform Release Includes SMS Soft Tokens, Digital Certificates – Apr 22, 2009]
Is SMS the only way that 2FA could transition to the mass market? Well, I was experimenting with another approach recently as I was given one of Visa Europe’s CodeSecure cards to test. As an experiment, I gave it to my youngest son, pointed him to CD Now, gave him the instruction leaflet and told him if he could successfully order something, he could keep it. He writes…
Using the pre-paid service that visa has recently introduced was remarkably easy. The instructions were clear and I understood what I had to do. I made my first purchase at http://www.cdwow.com buying a movie for my brother’s birthday. It took a couple of minutes to make an account and less than a minute to enter the code and details required to make a purchase. It was quite easy and sort of an adventure doing it. I would recommend it to other people because of it’s easy instructions, and fast service. Very good system
The kids are alright. But note that if the advent of NFC means that my Visa card is going to migrate into my mobile phone then my Visa CodeSecure will have to go with it.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]