Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token. Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person’s personal data or identity.
Historically, two-factor authentication is not a new concept but its use has become far more prevalent with the digital age we now live in. As recently as February 2011 Google announced two factor authentications, online for their users, followed by MSN and Yahoo. Many people probably do not know this type of security process is called Two-Factor Authentication and likely do not even think about it when using hardware tokens, issued by their bank to use with their card and a Personal Identification Number when looking to complete Internet Banking transactions.
Using a Two Factor Authentication process can help to lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the users name and password details. The downside to this security process is that new hardware tokens (in the form of key fobs or card readers) need to be ordered, then issued and this can cause slowdowns and problems for a bank’s customers wanting and waiting to gain access to their own private data via this authentication procedure. The tokens are also usually small and easily lost so causing more problems for everyone when customers call in requesting new ones.
Some banks look to resolve this problem with Two Factor Authentication by utilising mobile phone SMS technology. Mobile phones in use, turning a phone into an authentication device quickly solves the need and additional cost and delays of sending out hardware tokens. Using Two Factor Authentication without tokens is called Tokenless Authentication. This type of authentication can be considered faster, quicker and cheaper to set up and maintain across many networks
Why 2FA is Essential for Financial Transaction
For reasons of cost, complexity, reliability and privacy, biometrics is not widely used in banking. There are however a wide variety of low-cost, dependable security devices available.Typically, such devices generate and display a One-Time Password (or OTP). As the name suggests, an OTP is valid for a single use only, and many are also time-limited. Rather than being static, OTPs are dynamic—new OTPs can be generated on demand, from an inexhaustible sequence that is unique to each device. The OTP is copied from the device to the web terminal by the customer. To the bank, knowledge of a valid OTP demonstrates proof of possession of the device, when coupled with a traditional static password can offer an extremely effective defense against on-line attacks.
2FA for Card Not Present transaction
Card not present (CNP) refers to a purchase a consumer makes without physically presenting his or her credit or debit card at the time of purchase. CNP transactions often occur online and are conducted by consumers without the actual in-store credit or debit card swipe. If you have to do an online CNP transaction, you have to enter an additional-factor authentication to complete your transaction. The additional factor is usually your password, personal identification number or a one-time password that comes to you as an
SMS. Only after you enter one of these, will the transaction go through. In order to make card transaction check-out process more convenient, banks are allowed to do away with the additional factor of authentication for online card not present scenarios, when transactions are very low.
Is 2FA mandatory for CNP transaction from regulator?
The Central Bank is concerned about 2FA for CNP transaction with the increasing use of credit and debit cards. It is imperative to enhance the security of online card based transactions and with a view to protecting the interest of all concerned, the central bank has decided that card issuing banks will establish a system of providing additional authentication/validation (2-factor authentication) based on information not visible on the cards for all online CNP transactions. On the other hand banks need to introduce a system of ‘online alerts’ (e.g. SMS alert) to the cardholders for all CNP transactions of the value of Tk. 5,000and above.