Google offers it, some video games require it, but three of Canada’s big five banks don’t even want to talk about two-factor authentication (2FA), an extra layer of online security that some experts say banks should be required to provide to help protect consumers.
It’s a “very, very risky situation” according to Dr. Kevin Streff, a professor at Dakota State University and director of its FinTech security lab.
U.S. banks have been expected to use 2FA, also known as multi-factor authentication, since a directive was issued by the Federal Reserve Board 14 years ago, Streff said.
Relying on “single-factor authentication” — logging on to a system with one ID/password combination, for example — “is insufficient in this day of cyberwarfare,” he said.
Under 2FA, a bank requires another step to ensure the person making the transaction is really you. It may call or text you a code that you must enter. Other forms of 2FA involve email, documents and hardware like a USB stick.
CBC News requested interviews with Canada’s big five banks about online security and two-factor authentication.
Scotiabank, Bank of Montreal and Royal Bank all declined and did not offer any comment.
A search of Scotiabank’s website shows 2FA is offered at its international outlets but not, apparently, in Canada.
RBC’s website says it requires 2FA to confirm unusual online payments or transfers, or if you go over your daily limit. BMO’s website says it’s required for investment transactions.
A CIBC spokesperson pointed us to the bank’s site, and a page that says 2FA is used for transactions such as adding a new e-transfer recipient, updating contact information, or resetting a forgotten password. It’s not required for day-to-day online banking transactions.
“Protecting our clients is a clear priority,” said spokesperson Trish Tervit.
TD also offers 2FA, and is the only one of the big five that gives customers the option of using it every time they log on to the site.
Two-factor authentication “has helped to reduce levels of fraud by preventing unauthorized account access,” spokesperson Lisa Bodnar said via email.
Two-factor authentication is not to be confused with two-step authentication, which can include a secondary password or question but not a second device.
Federal regulations required
Srini Sampalli, a cybersecurity researcher and computer science professor at Dalhousie University in Halifax, says 2FA is only really safe if the bank’s code is sent to a second device, not the one on which you’re doing your banking. If you’re banking on your phone, TD may send the code to the same device.
Though banks are held to the “highest encryption standards” and transactions are “very, very safe,” Sampalli says they should have some level of multi-factor authentication built into their security practices, especially for larger transactions.
“If the federal government can mandate some kind of a policy that all banking institutions should harden their online security practices, then perhaps it will become standardized and we will see uniformity,” he said.
But, he cautions, 2FA is not the ultimate solution since “nothing is 100 per cent guaranteed in cybersecurity.”
Streff, at Dakota State, says Canada’s lack of regulation in this area is “well-documented” and that, from a regulatory perspective, it’s “lagging behind” other countries, including some in Europe.
He said it’s up to the government to decide how much regulation is required.
“I don’t want to paint this with a broad brush — that banks in Canada aren’t responsible or aren’t using a second factor of authentication,” he said. “There’s really just an absence of regulation which leaves it up to the banks to make their own choices.”
So, why don’t banks offer 2FA? First, there is the cost of implementing and maintaining it. Streff calls the cost “incremental.”
Secondly, there’s inconvenience — some customers might be annoyed by the extra steps.
“Security has to balance convenience,” Sampalli said.
Sampalli says requiring 2FA is not simple — there are many factors to consider, including whether consumers should be allowed to opt out, and to what extent.
He said some people in remote areas might have difficulty with 2FA if the second step involves receiving a code on a separate device.
“So, it’s not just a technology issue; it’s a people issue. It’s convenience and technology together,” he said.
New advancements coming
Sampalli said advancements in the next few years may change the security around online banking.
“What if your device itself has the intelligence to recognize if you are the rightful owner holding it and then proceeds with the transaction?” he asked.
“I believe in five or 10 years from now we’ll see algorithms built into systems to reinforce that.”
He added until that time, the federal government should mandate regulations, but in stages, adding it must be tested to ensure that all groups have access to the technology.
Sampalli said it’s important for those using online banking to remember they must be responsible, as well.
“We as consumers must be educated in good online techniques and practicing safe techniques and good cyber hygiene.”
He said it all comes down to protecting our passwords. “They say security is only as good as the weakest link and passwords are the weakest link in the whole security chain.