Why, you may reasonably ask, is this arcane bit of computer jargon popping up here? Agreed, it’s never going to trip lightly off the lips of your neighbourhood bank teller, but it refers to a trend in banking that’s likely to affect all of us, even if we never come to know it by that name.
The problem is that of security, or rather the insecurity of the usual form of security, passwords. Everybody knows they’re bad at their job: people forget them or create ones too easy to guess, mislay them, write them down where somebody unauthorised can read them, or can be all too easily persuaded to give them over the phone to a conman with a plausible line of patter. Online, matters are even worse. Banks spend huge amounts of effort trying to stem the flood of phishing sites that pretend to be the real thing so that they can grab your log-in details and plunder your accounts.
So the quest has been on to improve online security in a way that works and which won’t be too much trouble to use. The basic idea is to add a second level of protection to the password — so two factors of authentication. Methods like this are now widespread, summed up by the phrase “Something you have and something you know.” In a store, the something you have is your credit card, while the something you know is your PIN.
Online, the something you know (your password) is easy to implement, but the other level of authentication (the credit card or another physical token), is not. Practicality rules out methods like retinal or fingerprint scans, so the current focus is on a little electronic device that does the job for you. You plug in your card and enter your PIN. The device issues you with a time-sensitive code (in the jargon, a one-time password) that you must type in to gain access.
The term two-factor authentication has been around since the early 1990s and appears widely in technical documents, though it’s still rare in general media. (There’s also multi-layer authentication as a broader term.) The devices are common in businesses, for example to give employees access to secure office systems while on the road. They are now beginning to be made available to bank customers. Security experts warn, however, that they won’t stop every kind of attack and may indeed be most useful by building awareness among customers of the need for security.
Banks realise that two-factor authentication is an off-putting term and those in Britain who are to introduce the scheme in 2007 have invented chip and pin at home as a more easily understandable alternative.
Barclays said last year that it would offer two-factor authentication via card readers to all of its two million banking customers.
Computer Weekly, 24 Apr. 2007
Most of Britain’s top banks — except HSBC and First Direct — are due to send out millions of “chip and pin at home” gadgets to customers who bank online, as an extra defence in the anti-fraud battle.
Guardian, 12 May 2007