War of the tokens

Are hardware tokens losing favor to other emerging two-factor authentication technologies? ZDNet Asia finds out.

The pocket-sized hardware token--popular among banks as a second layer of authentication for Internet banking--may be giving way to the ubiquitous mobile phone.

What's prompting this move toward newer forms of two-factor authentication (2FA)? The customer.

hardware token

Is the hardware token giving way to
new forms of authentication?

Although most banks ZDNet Asia spoke to offer hardware tokens, some have also introduced SMS authentication as another--or the only--option. One bank has even gone the extra mile to offer three different types of 2FA. OCBC is the only bank in Singapore to offer three choices: hardware token, SMS or a software-based mobile phone authentication.

Patrick Chew, head of delivery for OCBC Consumer Financial Services, told ZDNet Asia that this decision to let its customers choose between three tokens has proven to be the right one, although it was not an easy one to make.

Recounting the early days in the decision-making process, Chew said the bank surveyed its customers and looked at how other banks implemented 2FA. "On the one hand, many banks were issuing hardware tokens and there was a strong tendency to follow the herd. On the other hand, we wanted to make sure we meet the needs of our customers," he said.

Although the pocket-sized hardware token is popularly used by banks for 2FA, Chew said, it is not the preferred choice of most of its customers. SMS authentication topped OCBC's customer survey, he said. "The hardware token came in a far second--not a close second--affirming OCBC's belief that customers don't want to carry another device in their pockets."

Acknowledging potential issues like lost transmission and unexpected delay--when the mobile network is congested--during festive seasons or when one is overseas, Chew said the benefits of SMS like portability and ease of use, make it the preferred choice for many.

SMS, which requires little training, especially in Asia where the number of text messages continue to skyrocket, is the preferred method at Citibank, too.

Vibha Coburn, director of Citibank Online in Singapore, said: "We selected SMS as the primary delivery medium for the One-Time-Password (OTP) as most Singaporeans use mobile phones. It is straightforward, flexible and convenient, as customers will not need to carry an additional device to be able to bank online.

"Most customers prefer the SMS function, citing portability and convenience as the main reasons," he added. "About 20 percent of our customers have opted for the [hardware token]."

The same goes for Citibank customers in Hong Kong. Maggie Yung, country marketing director for Citibank Global Consumer Group, told ZDNet Asia that with mobile phone penetration in Hong Kong at 125 percent, "the bank believes that SMS is convenient and secure".

Confidence in SMS has also got Standard Chartered standardizing on the authentication mode across all geographies. "SMS-based authentication has been adopted as the bank's global 2FA solution," said Shee Tse Koon, chief information officer, Standard Chartered Bank, Singapore.

He added: "The bank engaged an international SMS aggregator that has direct linkages with all local telcos for our SMS authentication service, in anticipation of this global rollout."

Adopting a phase approach as stipulated by the Monetary of Authority of Singapore (MAS), Shee said, Standard Chartered has migrated more than 50 percent of its Internet banking customers in the island-state to 2FA, and is on track to extending this number to 90 percent by the end of June 2007. The remaining 10 percent will be migrated in phases by year-end, he said, adding that more than 150,000 passwords per month have been sent out via SMS since it was made available.

A new method of 2FA that has emerged--and is offered by OCBC Bank--is a software application that is downloadable into a mobile phone, converting it into a mobile authentication device. An Internet banking customer has to do a one-time installation of the software into his phone, after which he can use the same phone to obtain a One-Time-Password each time he wants to access his Internet banking account.

Chew explained: "The mobile phone is an innovative, new form of token. We expect that it'll take some time for customers to get used to this, but I'm confident that with the mobile phone as a ubiquitous device that customers carry around with them, generating 2FA via the mobile phone will be the norm in the future."

One advantage this new authentication has over hardware tokens is that customers will not have to fork out any replacement fee if they lose the mobile device. Chew said that while OCBC customers will have to pay a fee to get a replacement hardware token, those that opted for the software tool will simply need to download the application--offered free of charge--to their new mobile phone.

How they stack up
Hardware token
Banks offering this ABN Amro, China Construction Bank, Citibank Singapore, DBS, HSBC, OCBC, UBS, UOB
Pros - Has been around longer
- Not dependent on the mobile phone operator network
- Does not require any downloads or setup
Cons - Inconvenience due to "necklace syndrome", where customers with multiple Internet banking accounts with different institutions will have to carry multiple tokens
- Higher implementation costs. Experts estimate hardware's recurring costs to be around S$40 (US$24.50) to S$60 (US$36.74) per user per year, compared to under S$10 (US$6.12) per user per year for software-based tokens.
- Customer has to pay a replacement fee if it's lost
- Not tamper-proof
Banks offering this Citibank Singapore and Hong Kong, OCBC, Standard Chartered, UOB
Pros - Mobile phone is ubiquitous
- People in Asia are familiar with SMS
- Requires no training
Cons - Dependent on the mobile operator network
- Potential issues like lost transmission and unexpected delay during festive seasons or when one is overseas
- Mobile phone can be as easily lost as hardware token, although the chances of someone realizing his phone is missing are higher than it would be with the hardware token
Software token for mobile phone
Banks offering this OCBC Singapore
Pros - Mobile phone is ubiquitous
- No replacement fee; customer simply has to download the software application to his new phone
Cons - Dependent on the mobile operator network
- Mobile phone can be as easily lost as hardware token, although the chances of someone realizing his phone is missing are higher than it would be with the hardware token
- Still very new and customers are less familiar with the process, compared to SMS
Digital Certificate
Banks offering this China Construction Bank, UBS
Pros - No need to carry a physical device
- Bank can regulate the frequency of digital certificate renewals, which is currently set at 12 months, says UBS
Cons - Requires the setup of an internal PKI (public key infrastructure) system