How secure is secure enough for online banking? With identity theft on the rise, the answer increasingly is that it’s  never enough, which explains the rise of two-factor authentication features. These are typically one-time passwords that are generated and displayed to an offline device, usually a mobile phone or fob. Recently, several banks have launched such services, with Bank of America leading the way in the U. S. with its SafePass.

Here’s a quick summary of the service:

Getting Started

To use SafePass, the first thing you do is add SafePass to your account by setting up and enabling your mobile device. It’s interesting to note that they opted to support only mobile devices, and not email, regular phones or even a fob. I can only guess it was done to simplify the initial release, while using a fairly ubiquitous device that people are sure to have by their side.

You start by registering your mobile number by entering it and hitting ‘continue.’

Once you’ve registered your mobile phone, it’s still not usable until you’ve enabled it. You’re then presented with options to enable it now or later. It’s a mystery why the registration is separate from the step to enable it, but on the plus side, so far the process is fairly clear and intuitive.

You’re almost done. Selecting ‘Yes, Enable Now’ takes you to a page with information to ‘Send SafePass Code.’ The module itself requires both Flash and Javascript to work properly. Selecting ‘Send SafePass Code’ sends an SMS message with the code to your registered mobile number. I received this message in seconds.

You’re then immediately prompted to enter the code you just received on the same screen. If entered correctly, the SafePass module displays a confirmation message.

Putting it to use

OK, now that you’ve enabled the mobile number to use SafePass, you can use it immediately on one of the supported online banking functions. In this example, I used it to add a new Bill Pay payee. Adding a payee displays the normal payee screen, but you now have that familiar SafePass module to send a SafePass Code. The process is identical to the process of enabling your mobile number during the setup process above. The ‘continue’ button is disabled until you correctly enter the one-time code that is sent to your mobile number.

After correctly entering the 6-digit code, you then proceed as normal with adding your payee. Adding another new payee simultaneously in the same session does not require you to send and enter another SafePass Code.

Setting Preferences

In addition to the features required by SafePass, you can change your preferences to require it to sign on to online banking or to use it instead of SiteKey. If you’re not happy with it, or simply don’t want to deal with the extra hassle, you can also remove it completely from your account.

Conclusion

The main idea behind SafePass is to prevent online fraud even if someone hacks into your online banking account. By requiring another authentication method that’s not online (i.e., two factor authentication), the belief is that it’s a lot harder for a fraudster to have both your login information and cell phone.

Bank of America does a good job of integrating SafePass into the existing online banking experience, while making the overall experience easy to understand and consistent. By creating a standalone SafePass module in Flash, the process to send, check and enter the code is seamlessly integrated into the site without ever adding extra pages. The familiar interface makes the process predictable and smooth across the site.  But you do get the feeling that this is a stopgap measure, a pilot of sorts to test the waters before making it required for everyone.  One can’t help but wonder whether this would make online banking more or less attractive to users, or whether there’s another method that doesn’t require digging around for a mobile phone to complete a transaction. Here the alternatives are increasing, including biometrics and authentication cards similar to what U.S. Bank announced yesterday, which generate their own one-time passwords. But in the meantime, this approach to two-factor authentication excels in making it harder for fraudsters, while not as hard for the rest of us.

(1 votes, average: 5 out of 5)

 Loading ...

Share:

This entry was posted on Wednesday, December 5th, 2007 at 12:30 AM and is filed under Bank of America. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.