Why a two-step login?
August 20, 2006 9:15 AM   Subscribe

Why are many financial institutions moving to a two-step login process, where you enter your username on one page and then your password on the next? For instance, Vanguard and ING. Their rationale is just that it's "more secure", but that's not much of a reason.
posted by smackfu to Technology (13 answers total)
I know with Bank of America, the second step includes something they call a site key, which is a graphic that you pick out. The theory being that only BofA knows your site key, so if it's a spoof site, they won't be able to display the site key, and you'll know something's up.
posted by JakeWalker at 9:20 AM on August 20, 2006

It's likely to get the laggards to adopt the technology or to improve the trialability of online banking for laggards. In Diffusion of Innovations theory, the laggards need extra support when adopting tech because they tend to try stuff and drop it.
posted by acoutu at 9:31 AM on August 20, 2006

Bank of America's Here's how SiteKey works. Some concerns about the security measure, and a proposed improvement.
posted by kirkaracha at 9:33 AM on August 20, 2006

yeah the credit unions started rolling this out about 9 months ago or so. or at least mine did. INGs is pretty interesting as they also take the step of scrambling your pin every time, using graphics to create the mapping between letters and numbers.

what was sad is that it wouldnt let me use "profanity" as part of my welcome phrase, so i had to employ some creative spelling.
posted by joeblough at 10:14 AM on August 20, 2006

Okay, so SiteKey maybe, but for instance HSBC just introduced a two-step login process, where the first page is just your username, and step-two is just your password.

what's the deal with that?
posted by misterbrandt at 10:26 AM on August 20, 2006

I don't really know, but I could imagine that it not only makes the bank feel more secure, but more importantly, it makes the (average) customer feel more secure.
posted by Harry at 11:10 AM on August 20, 2006

When I had to call BOA because it kept locking me out, the rep said they were doing it in response to new legislation. I don't know if that's true or not. A quick google search didn't turn up anything to support it, but I didn't look very hard.

Vanguard started out with just splitting up the user name and password into a two page process, but now they've incorporated an image like BOA, so it may just be that the others are slowly trying to move you to what will ultimately be the login process.
posted by willnot at 11:22 AM on August 20, 2006

I hate this with a passion I don't know the exact wording for my high school... so i have no idea how to log into ING now... i went to a high school with 5 different names... so now I'm going to have to call ING...
posted by matimer at 11:24 AM on August 20, 2006

Really? Being more secure isn't much of a reason?

Tell that to all the people who fall for really impressive phishing scams every day and wind up losing everything.

There isn't a day that goes by where we don't have to shut a site down because we get reports of phishing scams. Most days we have to do a couple or more. It is getting worse all the time.

I'm not sure if the two step process is in response to phishing or not, but if it is, cool. It's a relatively minor inconvenience, no?
posted by FlamingBore at 11:37 AM on August 20, 2006

Best answer: From this article:

"In October 2005, the Federal Financial Institutions Examination Council issued guidelines urging U.S. financial institutions to implement stronger, two-factor authentication practices before the end of 2006, . . . "

From my personal experience working in banking, two-factor is apparently a near-requirement -- I know as the article said it was "recommended" but it may have been codified into a reg and I just don't know which one. I know our IT guys at my last job were telling me that it was a requirement to have this in place by a certain time, though.

Different banks are doing it differently. Personally, I don't think that BOA's measure is very strong, because really all it proves to you is that you correctly typed the URL. ING's two-factor is much more strong, with the added bonus of being able to click in the PIN rather than type it (escapes key-loggers). I think BOA's would be stronger if it presented you with three pictures and you then had to choose the CORRECT one.

I read an article probably a few years ago where a Swedish (?) bank had you set up your user ID and password, and they gave you a scratch off card with a bunch of different passcodes. You had to provide the user ID and password YOU set up, and then scratch off the next code to log into online banking. If you lost the scratch card, you just called in and they would deactivate all of the numbers on that card. If you log in via VPN with one of those little key-fobs that generates random numbers, you get the idea.

Anyway, it's basically to cut down on people's online accounts getting hijacked. Interestingly, I think that it's really just, for lack of a better term, a placebo, considering that most of the time when we had "unauthorized" access to accounts, it was an estranged spouse who knew all of the customer's information anyway. There really aren't enough "secret questions" to keep that from happening. The irony to me is that if you use online banking you are roughly one zillion times more likely to catch ID theft or the theft of checks/check cards because you have access to your account information at all times. Online banking, almost by definition, makes you more secure.
posted by Medieval Maven at 11:39 AM on August 20, 2006

For what it's worth, my bank has also issued me one of those RSA SecurID random number generators (this), which has a number that changes every 60 seconds. Whenever I login, I have to enter my username, password and the key currently displayed.

It's pretty cool. :-)
posted by PuGZ at 1:27 PM on August 20, 2006

Surely, at least in part, it is to prevent you using automatic login programs such as Roboform or the Firefox password thing, which can be hijacked or, at least, be seen by hackeers. I used to use the FF thing for Vanguard but now have to remembr my password.
posted by TheRaven at 1:38 PM on August 20, 2006

I think one of the *other* things it prevents is that, and also what some banks refer to as aggregation -- you give the one bank your login credentials and they go out, scrape the other site, and return the results to your login at X-so-whateverbank.com. But the Regulatory requirement would be consumer-protection driven.
posted by Medieval Maven at 2:43 PM on August 20, 2006

« Older Squirrel diggers   |   How do I limit my salivation? Newer »
This thread is closed to new comments.