Insight into why Europeans get multi-factor authentication and we don't

Insight into why Europeans get multi-factor authentication and we don't

Summary: Every now and then, a press release or pitch crosses my desk about the so-called idea of "strong factor" authentication. It makes me want to roll my eyes because the US has got to be the only place in the world that actually knows better than to fall for such a watered-down imposter of true multi-factor authentication, but gets suckered into using it anyway.

TOPICS: Banking, Security

Every now and then, a press release or pitch crosses my desk about the so-called idea of "strong factor" authentication. It makes me want to roll my eyes because the US has got to be the only place in the world that actually knows better than to fall for such a watered-down imposter of true multi-factor authentication, but gets suckered into using it anyway. To refresh everybody's memory (or to introduce the idea to people just seeing this terminology for the first time), multi-factor security is the sort of security where you don't get what you're after until you've demonstrated at least two if not three of the following:

  • What you know -- like a user ID and password
  • What you have -- a security token of some sort like an ATM card
  • Who you are -- usually established through biometric measures

In contrast, strong-factor authentication was a compromise that the banking and security sectors reached with the political community. The political community wanted stricter controls in place for online banking. The Rx was clearly multifactor security of the type that Europeans are used to. The banking community couldn't fathom the cost or inconvenience of giving Americans what the Europeans and could you imagine?....the security community came up with solutions that it helped market to the politicians as being just as good. But all these so-called "strong-factor" solutions do is double up on the first factor (what you know) requiring you to know more than just user ID and password.

Many Europeans who bank online are used to the idea of two-factor security. In addition to user ID and password, before authenticating online bankers, many European banks require the entry of a secret code that only you and the bank know at any given moment in time. The secret code changes often, at regular intervals. RSA (a subsidiary of EMC) is one of the vendors that makes this form of multi-factor authentication possible with its SecurID solution.

Whereas some form of multi-factor security stands between many of my European friends and online access to their bank accounts, I don't have a single friend in the US that faces the same barrier to entry. That will change the moment we have some major online banking authentication catastrophe in the US. But in the mean time, my sense has been that American's can't be bothered with such inconveniences. Early last year, I wrote about how this culture of convenience will eventually come home to roost in a post headlined Why Americans are technology, political, and educational laggards and how it will doom them.

Today, I found some more insight into how Europeans ended up using two-factor security and we in the US ended up with the toothless de factor we have. From eWeek comes a Q&A with the Burton Group's Mark Diodati on the definition of multifactor authentication. In it, Diodati says the following:

  • In Europe the institutional and cultural context is different. Banks were able to issue smart cards [credit cards with embedded computer chips] or other devices to consumers and require their use for the authentication of transactions. One reason there may have been more tolerance for this in Europe is that retail shops there didn't always have access to cheap data lines for online verification of credit card transactions the way they did in the U.S.
  • Responding to the question of whether we'll ever adopt multifactor authentication here in the US: " Probably not....the name of the game for online banking and online retail sites in the U.S. will be to do authentication without issuing hardware or software to the consumer."

In the Q&A, Diodati finds merit in "solutions that mimic the benefits of multifactor without the constraints" and mentions password hardening as one of them. In describing password hardening, one technique he discusses is the approach taken by BioPassword -- an approach that compares the keystroke dwell (key depression time for each character in a user ID and/or password) at time of login in to the keystroke dwell pattern that's registered with the systems in question (much the same way real biometric systems must do a one-time registration of fingerprints or irises).

Personally, I'd prefer real two-factor authentication and I'd even be willing to pay extra for it. But we're a culture of convenience. That option from my bank probably won't happen any time soon.

Topics: Banking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Bank of America Offering that as of This week

    Here's the quote from Bank of America online banking:
    "SafePass? Account Security

    Unrivaled protection you control

    SafePass is an optional, second layer of protection for your most sensitive Online Banking transactions. With SafePass, you receive a 6-digit, one-time-use security code from an item you already carry -- your existing mobile device. The security code expires as soon as it's used, so you can be sure it will never be used by anyone but you. And because SafePass is always with you on your mobile device, you stay in complete control of this extra layer of security."
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    Some US Bank will start to do such and Capitilize on that fact alone. All the others will then have to follow suit - just as the have with the full online banking/bill pay
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    Actually, keystroke dynamics is a true two factor technology. KD is a recognized behavioral biometric. Bare in mind that the threat model associated with KD is different from a token.
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    I really wonder what this uninformed diatribe about "the Europeans" is meant to mean. Security is important everywhere whithout anyone having to get paranoid about it. Here in Switzerland you push your card into an ATM and enter your PIN as everywhere. As withdrawals are limited, potential damage is limited, too. In online banking where potential damage can be desastrous, the latest is to enter ID, password and a code that is generated in a special card reader after you keyed in a number given to you on the screen and your PIN. You then enter the freshly generated code in the appropriate field. The whole process takes seconds, and I feel rather comfortable with it.
    • Read the article again

      I suggest you read the article again. The article is lamenting the fact that in Europe they have true multi-factor authentication and here in the U.S. we don't but should.
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    Is the solution for me to have a SecurID card for every bank account, brokerage account, etc that I have? That's a lot of widgets for me to track.
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    I authenticate with my German bank via username and password and a set of numbers/codes they send to me in the mail. Every time I want to do a transaction on the web I have to supply one of the numbers. More recently the codes are numbered and they tell me "use code 36 for this transaction". When the codes run out they send a new list.
  • Several of my banks do to some extent, and one credit union goes further

    Several of my banks do offer multifactor authentication to some extent, and one credit union goes a step further.

    Many of the banks I deal with require the computer be trusted. That is, I must have entered some personal details at some point in time, which are saved to a cookie. Unless a hacker uses my computer, s/he must be able to enter some personal detail about me (first grade teacher, etc.),in addition to my user ID and password.

    Obviously, at a shared/public computer the personal questions are asked each time and a trust token is not saved. The questions are randomly selected from a set of four to six that were completed with the bank at some point.

    The credit union I have my checking and savings acocunts with goes one step further, a step that prevents phishing attacks more than security breeches. On the initial page, I enter my user ID. The page then responds with an icon and a phrase, both of which I have previously selected. If the icon and phrase are those I have selected, I can know the page is legitimate. This step (or two steps, depending on your perspective) is in addition to the trusted relationship with the computer.
    • Not biometric, but better than nothing...

      No, the questions aren't biometric, but they're not part of my credit history and they're better than just a password that can be brute-force cracked.
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    "But in the mean time, my sense has been that American???s (sic) can???t be bothered with such inconveniences."

    Not exactly a confidence-inspiring statement.

    I was responsible for Internet Strategy for a top-ten bank several years ago (1999-2000) and at the time was investigating the use of key fobs akin to the SecurID solution. Our focus group, albeit small, wasn't a big fan of the devices and understandably so. The devices were designed to be carried on a keychain and were bulky to the point of nuisance. This doesn't mean that Americans don't want multi-factor authentication, just that a more elegant solution was required. Those solutions now exist.

    It is interesting that BioPassword is considered "password hardening" but not multi-factor authentication. True and viable authentication of keypress patterns meets the "who you are" standard and combined with the use of a password ("what you know") is multi-factor.

    As consumers continue to become more security savvy the marketplace will trend toward those offering this product differentiation. Within two years the majority of the top ten banks will be providing end-users the option to utilize multi-factor authentication.
  • Real vs. Hype

    Europeans have taken a lower risk approach. The photo-id and chip on a UBS Visa Card does not incovenince the users. Stupid number generating dongles do. Poeple with disabilities can't depress keys with any repatable charateristics.

    There are better ways: To logon to the Swiss BEKBank I must enter userid / password. Then it prompts me for 1 out of 100 security codes, e.g. Enter No.16. To entrer that code I need to pull out the credit card size card the bank gave me. It has 00-49 and 50-99, a total of 100 security codes printed on its two sides.

    By contrast Bank of America is week on authentication but shows me an image which I should recognize, a pretty good attempt at spoof protection. The Royal Bank of Canada detects the absence of a cookie to ask me for the answer to a question which I have formulated myself, someyhing like "name of green half with black top". It's false security because of key loggers.

    From the three, BEKBank ( is best. It requires two elements, one I must KNOW and one which I must HAVE.
  • An important distinction

    After reading some of the comments to this article I feel that it's important to note that there is a very important distinction to be made.

    Protection from [b]"phishing"[/b] (the consumer is lured to a spoofed banking website which then captures account access information) is not the topic of this article.

    This article is speaking to [b]authentication[/b]. The inclusion of a user-supplied (or user-selected) image is a tool to help prevent phishing but does not provide any greater authentication strength.

    While both of these are security risks, that is the extent of their relationship.
  • RE: Insight into why Europeans get multi-factor authentication and we don't

    I'm English and my savings account I check in about once a year. I have to enter a account number and then password. Then it asks for a memorable name, place or date. If it asks for the date - I've had it! lol But it is very secure. My current account - I checked today and I have a special account number, passcode and then enter 2 characters on a pull down menu from my password. Today it asked for character 2 and character 3 - it changes every time. I think I chip and pin technology is also quite good. It could be more secure though.
  • You want two-factor up until you find you...

    You want two-factor up until you find you have to carry around 10+ different secureID tokens.

    To make two-factor truly effective in the US, companies would either need to adopt a common approach that would allow users to use a single secureID token or they'd need to issue smart card-based credit cards with secureID capabilities.

    I for one would NOT want to have to carry a different token (about the size of a automobile remote control) around for each of my bank/trading/investment/credit card accounts.
  • Chase does something similar. Mexico has it the same as Europe.

    Every time you log into chase on a different computer, you are sent an activation code via phone, e-mail, somthing lse I never use. Then, you have to type in activation code + password to get in. Its not every time though; I believe its related to the cookies.

    Also, in Mexico, they issued hardware that gives you an access number every time you press a button. Type in the Username, password, and access number and you're in.
  • Something they can do RIGHT NOW...

    Vanguard and American Chartered do this but I haven't seen ANY other companies do it - It's very straight forward and goes a long way to making strong passwords all that's really needed - two-STAGE authentication.

    First you enter your username, then you are taken to a page with a picture that you have previously chosen. Only then do you enter your password. This is an excellent way to prevent website spoofing. It can be taken a step further by presenting you with 10 random pictures mixed with the one you've previously chosen, and you have to enter your password PLUS pick the right picture.

    Of course, they don't let you upload your own pictures (for obvious and not-so-obvious reasons), so if EVERY company did this and picked their own pictures for you to choose from, that MIGHT start to get hard to remember, so it might be worthwhile for a standards committee to come up with 1000 pictures that all companies should use, so that your picture at BofA is the same as your picture at the IRS.

    This would be hugely better than what we have right now...

    (And Chase has an excellent no-brainer as well that should be virtually required - anytime you sign in with a browser that's missing their cookie, you have to go through an alternate authentication process via text message or automated phone call - it's VERY effective and really not inconvenient in the least.)
    • oh yeah - why are any websites not doing SSL??

      I know running a website with SSL costs a little more money, but why the hell are any websites NOT using SSL for all password entry pages (and frankly, user id pages). This should just be made against the law, and the price of obtaining a certificate should be closely watched to prevent abusers and make sure SSL encryption is readily available - so there's no excuses.

      Likewise, POP3 and SMTP (or any other email retrieval) [i]without[/i] SSL should similarly be banned outright. Even your username at your financial institutions or e-commerce sites needs to be protected if we're going to really secure our internet usage.
      • I tend to agree with you, except that...

        I tend to agree with you, except that speeds over SSL are somewhat slower to critically slower. I know sites that use SSL for everything (very common for bug-tracking sites) and speed of refresh is about half to a third of normal.

        Now, the hybrid approach you see at Google (SSL during login, then non-SSL for anything non-critical) is a better solution. Pity they've not also done Yahoo's thing and allowed you to setup a way to prove (to yourself, if nobody else) that the site is the real deal.
        Raymond Danner
  • Stinking Eurocrats

    Polemics triumps consumer choice in Europe - this is what happens when Eurocrats think they know best. Leave this issue to the banks and the customers to decide.
    • Wow

      Wow, I was just thinking how the responses to this article were really interesting and on point when I came across this. I think Stinky should be off reading the Rush Limbaugh web site or something.