3FA not priority for Asian banks, regulators
Regulators and financial institutions in the region are still working to ensure two-factor authentication (2FA) is implemented well, and are unlikely to adopt an additional authentication layer for banking customers yet, says an industry analyst.
Shawn Yip, Asia-Pacific market analyst for IDC's Financial Insights, told ZDNet Asia 2FA has only "recently" been mandated in some countries and "may still be more of a best practice than regulation".
From a regulatory point of view, there does not seem to be a significant push for three-factor authentication (3FA), he said in an e-mail interview.
"Before attempting to impose additional regulatory burden, the authorities would first consider the success of existing form factors currently in place to authenticate transactions, while engaging the banks and their service providers in industry consultations," said Yip. "Of course, they may also take the lead from a proven 3FA success story with a compelling business case."
Two-factor authentication typically requires online banking users to submit a static password, followed by a one-time password (OTP) that is generated by hardware or software tokens, or sent as a SMS from their bank. Within the region, countries such as Hong Kong and Singapore mandate 2FA for data-sensitive transactions, such as third-party fund transfers. In Singapore, 2FA is also required for log-in to online banking accounts.
In an e-mail, a spokesperson from the Hong Kong Monetary Authority (HKMA) said the regulator recognizes that the OTP needs to be adequately protected for the continued effectiveness of 2FA. As such, it issued in July a circular requiring institutions under its purview to implement a number of security measures to guard against Internet banking fraud.
"We believe the measures taken so far are effective," the spokesperson noted. "Nevertheless, the HKMA will closely monitor the trend of fraudulent techniques, and also continue to work with the Hong Kong Police Force and the banking industry to enhance the ongoing customer education program, and further strengthen Internet banking security precautionary measures as appropriate."
ZDNet Asia's sister site ZDNet Australia last month reported that the National Australia Bank was considering implementing 3FA. The bank, which currently uses SMS as a second authentication layer for some transactions, said it was looking at voiceprints as a potential third layer.
According to Yip, NAB appears to be leveraging existing call center investments in speech or voice recognition. He added that banks with the necessary infrastructure investments in place would find it easier to exercise the shift toward 3FA.
The IDC analyst explained that banks in Singapore and the region were unlikely to place 3FA high on their priority list. Instead, they will likely focus on resolving "lingering issues with existing 2FA" rollouts, such as customer dissatisfaction over the inconvenience of physical tokens.
In addition, it was also "difficult to quantify the benefits specific to adding an additional layer of authentication", other than intangible ones such as customer peace of mind, he noted.
Banks ZDNet Asia contacted were unable to share their plans on 3FA implementation, though these banks indicated they would monitor needs and adhere to industry practices.
Rajesh Yohannan, Asia-Pacific head of e-business at Citibank, said in an e-mail that authentication of identity for online transactions "is a fine balance" between ensuring security and making it convenient for customers to adopt.
"Citi already has dual-factor authentication in place that is sufficiently robust for proper customer identification and verification of transactions," Yohannan said. "However, we continue to monitor and evaluate alternative authentication methods including biometrics solutions for our future needs."
A spokesperson from local banking group UOB said in an e-mail: "We are always looking for ways to protect customers online. That said, the level of security we provide must be appropriate and aligned with local conditions."
Standard Chartered Bank also said it would "continue to move in tandem with changes in the industry and implement industry practices".
According to a spokesperson from the Monetary Authority of Singapore (MAS), biometrics are "not a panacea with omnipotent effectiveness" even though they can prove to be convenient and effective security tools for some systems. Particularly with large-scale deployments, she noted, it is important to first understand where biometrics do and where they do not work.
"Biometrics are hard to forge but they are not secrets. When used intelligently with other authentication factors, such as PINs and OTPs, they would enhance the security of financial services systems either as two-factor or three-factor authentication solutions," she explained in an e-mail interview.
Technology risk management guidelines, outlined by the MAS, for the banking, securities and insurance industries "envisage different permutations of three authentication factors--what you know, what you have and who you are--to strengthen the security of systems in the financial sector", she noted. "We also encourage financial institutions to constantly assess the viability and applicability of biometric solutions."