HSBC Moving in a Different Direction on AuthN

Steve Gold has an interesting post about HSBC abandoning card-based two factor authentication and transitioning to out-of-band means via a pre-registered cell phone or land line:

According to HSBC, although two factor technology is quite good, if the security of a user’s PC is compromised, inserting a one-time PIN generated by a two-factor authentication device into that PC isn’t going to help the security of the e-banking session.

Which, though revolutionary, is quite a logical stance - hats off to HSBC for thinking this one through.

The bank has announced it is planning to move its customer base over to to a one-time PIN callback system - across designated landlines or mobiles - over the next couple of years.

This is a very good point. No matter how good a two-factor authentication scheme is, if you have to submit your second factor credentials through the same browser as your password, you are vulnerable to MITM and malware attacks.

Given that a PIN callback system also has the advantage of not requiring any client side hardware (other than the phone which the user has anyway), this could really start a new trend.


_____
tags: Authentication |  BMC Software |  Identity |  Identity Management |  Security