Banks to require 2-factor authentication

By the end of 2006, the FFIEC will require banks to adopt 2-factor authentication for Internet customers. Quoting from the article:

BOSTON - Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.

Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.

See this yahoo news story. Also the FFIEC report.

Two factor authentication will make phishing attacks much harder - wheedling the password or pin out of a victim will not be enough, you'd also have to steal (or "borrow") their authenticator as well. A password stolen via a Trojan horse program (keyboard logger or screen-scraper) would at best grant the thief one chance to login as the user.

The Letter is drafted broadly enough that some wiggle room is there to allow a bank to get away without using 2 factor authentication. The letter calls for a risk analysis, with high-risk transactions specifically called out as requiring better than current single factor authentication. Would "high risk" apply to a typical consumer online banking transaction?

Lastly, this applies to online banking. Online retail purchases and other non-banking transactions would not be covered. Even with two factor authentication, there are still opportunities for theft. Man-in-the-middle attacks are still possible, and crooks could compromise the security tokens either by reverse engineering them or by fraudulently obtaining cards in the name of bank customers (through social engineering, etc.). Tokens designed according to good cryptographic practices should be resistant to reverse engineering, however the actual history of commercial cryptography suggests exploitable flaws are likely.

Note that the UK bank Lloyds TSB is experimenting with token based authentication, per this Computerworld article.