Lootman wrote:You seem to assume that security is the only issue here. But it's also about usability.
So any method that involves my mobile phone may not work at all if I can't get a signal or am out of the country. But we know something to my laptop via the internet will work because that is how I am accessing their site in the first place.
The optimal solution is one that is secure but also practical. All one and none of the other misses the point.
You are right in pointing out that this is a security versus usability trade off.
Good security is underpinned by multiple factor authentication.
The strongest systems involve 3 factors:
- something you know
- something you have
- something you are.
We are still in early days for something you are: fingerprint/iris scan systems etc. Witness the number of false reads on phone fingerprint systems (and that is not telling the really interesting stat which is the probability of a false positive).
The bank where I have my current account seems to have a good trade off for on-line banking. It requires 2FA, but gives you a choice of whether you use a card reader to create an authorisation code (card = something you have, PIN = something you know), or enter a passcode (something you know) and receive an authorisation code on your phone (something you have) to enter into your PC. Some actions (setting up a new payee) require use of the card reader.
This seems to be a good balance; the caveat is that I do not do online banking on my phone, only from my PC at home or work, so in this context the phone is only a receiver of an SMS, and I have an alternative if the phone goes astray.
If this seems like too much hassle on the security/usability spectrum, ask yourself how many times would you want your account cleared out before you change your mind.