Two factors will help Lloyds push security

None of us is a stranger to two-factor authentication — we've been using it for years in one form or another already.

Every time we use a cash machine we prove who we are using two things: our debit card (something we have), and our PIN (something we know). And so it has been frustrating for many to watch UK banks singularly fail to grasp the concept for online banking.

Lloyds TSB should therefore be congratulated for leading the charge. Even if it is a little late out of the gates, it follows close on the heels of eBay's decision to distribute a million tokens to its users, and as such indicates that we have clearly reached a watershed.

Not only should any financial services company now be preparing to introduce two-factor authentication for online transactions as they are for offline, but they should expect that their customers will shortly demand it.

In the offline world, Chip and PIN means that customers are now coming to terms with that fact that they will indeed now have to remember a PIN if they are to use their credit cards, rather than just remember how to sign their name.

But it would be a mistake to get lulled into a false sense of security with two-factor authentication. For instance, two-factor authentication is still vulnerable to man-in-the-middle phishing attacks. Proper use of server- and client-side certificates can cut down on how much spoofing can be done. For instance, if the banks issued client-side certificates for browsers and never accepted a connection from a client without one, then things would be even more secure. The trouble with this is that it adds an additional step to the process, and you would need to do it for each computer you wanted to use for your online banking.

Some banks have tried this in the past, but no longer do so. We can guess the reasons: more support calls pushing up costs. There is also a convenience trade-off, because users are confined to using one machine for their banking. And if there is one thing that customers like, it is convenience. Client-side certificates arguably tipped the balance too far; tokens are likely to get it about right. Two-factor authentication will help in the online world, but even this is not the final answer. We all just need to remember that not even in the real world is anything ever totally secure.