Asia's banks split on SMS authentication

Texting may be convenient and less costly to implement, but it doesn't have the unanimous vote of the industry for effective two-factor authentication.

There are issues with using short message service (SMS) as a second authentication factor in Internet banking transactions, and banks in the region are split on using it to generate one-time passwords (OTPs).

Abhishek Kumar, a market analyst at Financial Insights, told ZDNet Asia in a phone interview that one pressing concern is that the banks have to rely on third parties--mobile operators--to provide the security feature. This not only means that the "bank has to set up a relationship with each of the telcos", but it is also dependent on their network capabilities, he explained.

"During peak periods there's definitely a delay and people in general don't want to be kept waiting [for the OTPs]," said Ahbishek, adding that in some cases, the OTPs may have expired by the time users receive them.

Another concern for banks and customers, he noted, is that of network coverage overseas. Users, who are traveling in other countries, may not be able to perform transactions because their mobile phones are not compatible with the cell phone networks in a particular country.

Over in Hong Kong, the Bank of America (Asia) uses SMS to push out alerts to customers, but not for banking transactions or authentication, according to its CIO and senior vice president Michael Leung. "We use SMS for a large number of 'just-in-time' financial and lifestyle alert services, but do not consider it appropriate for dual-factor authentication purposes due to well-known issues such as lost transmission and unexpected delay," he said.

The bank, Leung added, provides a choice of HK Post eCert or OTP tokens manufactured by RSA to retail customers for free.

Hong Kong mandated the use of dual-factor authentication for high-risk retail Internet banking transactions last year. In Singapore, the Monetary Authority of Singapore has strongly recommended that banks in the island-state implement two-factor authentication at login for all Internet banking systems by December 2006.

DBS, the largest banking group in Singapore, targets to begin issuing hardware tokens that generate an OTP to its Internet banking client base by the end of the month, and expects to convert all 901,000 users by the end of June 2007.

The bank currently requires its online banking customers to use OTPs generated by SMS to perform transactions such as adding a payee to enable the transfer of funds. When dual-factor authentication comes into play at the end of the year, the SMS-generated OTP will continue to be used, although DBS is assessing if the additional level of authentication will be required.

Said Pearlyn Phau, head of the Internet banking unit at DBS: "We are still reviewing if it is essential to have this third level of security."

Financial Insights' Ahbishek believes that the bank will discontinue the use of SMS when it has fully implemented the tokens.

Some favor SMS
While SMS is not a viable channel for a second authentication factor in online banking systems for some banks, it is still favored for its convenience and low cost.

The Oversea-Chinese Banking Corporation will use SMS as one of three channels to deliver OTPs to customers for two-factor authentication. The other two options that generate passwords are hardware tokens and software downloaded to customers' mobile phones.

According to Financial Insights' Ahbishek, the Public Bank Berhad will introduce a public bank authentication code from Nov. 15 to perform online third party transactions and updating of personal details. The code, when delivered via SMS, will be valid for 30 minutes.

Ant Allan, research vice president at Gartner, added that the SMS implementation is also widely used in Australia and New Zealand, as well as parts of Europe. SMS may be a popular choice as online banking customers are not required to carry an additional gadget.

"The biggest advantage for the organization is the reduced cost; no capital cost on user or network transaction cost [in terms of] pay-per-delivery of those messages," he said.

Allan added that with the slant towards legislation of two-factor authentication in countries such as Australia, Hong Kong and Singapore, banks will still seriously consider SMS as a channel to deliver OTPs.

"We think that if you have to [implement the additional authentication factor], it's sensible to look at a lower-cost solution," he noted. "If you use it properly you can mitigate the risks properly."