The approach undertaken by BIS/FSIC in developing this report on two-factor authentication was to research academic resources, websites, and vendors with particular reference to large scale implementations. In addition we paid special attention to the financial/online banking industry and classified our findings into simple, easy-to-understand sections. An aim of our research was to develop analysis options that aid the selection of an inexpensive, distributed model and, provide information for each of the secondary authentication type as well as cost estimates where available in respect of each method. This analysis was enriched by highlighting the degree of susceptibility to the primary attack vectors experienced within the industry.
Based on our communications with xxxxxxxxx, we devoted time to review industry practice within online banking in order to determine the authentication procedures commonly deployed by other financial institutions. This involved establishing whether other institutions were using single and/or multi-factor authentication for their online services. With the research conducted on current online banking practices, the findings had three outcomes. Firstly, some financial institutions utilised single-factor authentication only (“Something You Know”), such as an online ID & password. These institutions also used several instances of the same factor – what BIS/FSIC term “multi-layered”, such as an online ID & password and challenge / response. Secondly, some financial centres provided single-factor authentication when logging in and the option to provide two-factor authentication (“Something You Know” and “Something You Have”) when making payments online, such as an online ID & password and out-of-band authentication. Finally, other financial institutions mandated two-factor authentication when logging in and again when making payments online to a new payee, via a smart card reader.