National Australia Bank is confident that it has the
tools it needs to leapfrog rivals by adopting three-factor
authentication, adding an extra means of security to the normal two factors most Australian banks offer customers to secure their
Two-factor authentication improves on passwords by insisting
that customers logging on to websites use something they know —
their password — and something they have, usually a one-time
password that users are sent by SMS. Another common source of
one-time passwords is a "token", a small, electronic
password-generating device that uses a pre-determined algorithm to
generate codes unique to particular sites or services.
be as simple as a small screen that displays an ever-changing
sequence of numbers. Other tokens offer a keypad, so that users can
enter a passphrase before one-time passwords are displayed. This
kind of paranoia is common in the world of tokens, as typified by
token pioneer RSA's offering of a token (since discontinued) with a
battery made of mercury, a precaution that deprived the device of
the electricity needed to function if hackers attempted to open the
The bank told ZDNet.com.au that 75 per cent of personal
banking transactions, by value, were now protected by one-time
passwords delivered by SMS. NAB added that it planned to insist
business banking customers used two-factor authentication for
some transactions. "Customers will be required to use 2FA to
perform transaction above certain limit thresholds," a spokesperson said.
The bank is also considering the introduction of a third
authentication factor, in the form of voiceprints. NAB introduced
voice authentication to its call centres in June 2009, with the
technology being used to identify callers to its phone banking
systems as a way to improve the customer experience while also
guarding against identity fraud.
A NAB spokesperson said the infrastructure in place for
that solution "... could be leveraged to provide a 3FA solution for
internet banking, including an improved customer experience for
NAB's interest in adding the third authentication factor is
likely driven by its good experiences with two-factor
"The NAB SMS security and token-based solutions have proven
effective in reducing the fraud risk and giving our customers the
ability to bank online with confidence," the bank's spokesperson
Two-factor authentication has long been a favourite of the industry,
which values it as a way to improve security of virtual private
networks and other facilities providing access to sensitive
Banks value the technology as a way to make it harder for
criminals to access bank accounts with a password alone, a common
exploit enabled by social engineering attacks such as phishing.
Banks also use two-factor authentication to verify individual
transactions, with the one-time password used to verify that the
person initiating a transaction is aware it is taking place.
Legitimate customers in possession of a one-time password therefore
authenticate themselves in real time before transactions such as
large transfers from their accounts, a tactic that makes it harder
for criminals to conduct fraudulent transactions.
Australia's four big banks all offer two-factor authentication,
with NAB launching SMS-based two-factor authentication for personal
internet banking customers in 2005. The bank has since added, and
mandated, token-based authentication for customers of its online
business banking service.