Commentary: multiple two-factor tokens are a drag to users

December 21st, 2013 | by Alfred Siew
Commentary: multiple two-factor tokens are a drag to users

multiple 2FA tokens in Singapore

If the number of gadgets above seems excessive, then you should see the rest I have stowed in my drawer.

All in, I have seven or eight active tokens – I’ve lost count – used to log on to online banking accounts. Some, I think, are expired, while others I don’t even remember are for which accounts.

I may be a minority among online banking users here in Singapore, but certainly the number of tokens that slowly add up these days can be bewildering for users who have more than a single bank account.

I have one for my personal account, another two for a current account for my sole proprietorship and another two for another company account. That’s not counting a couple of others for a joint account with my wife.

Having lots of bank accounts doesn’t mean you got lots of money in them, unfortunately. But it does get you saddled with lots of tokens these days, and it’s a hassle remembering which one is for what.

OCBC’s corporate accounts, for example, require one person to process online payments and another to approve it. While this safeguard is understandable, it applies even if you are the sole proprietor – you have to log in twice, separately, to transfer money to someone online. And that means logging in with the right tokens.

A few months ago, I had keyed in the password on the wrong token several times and ended up being locked out from the online accounts. I ended up writing a cheque, as I’ve always done.

Sadly, the situation isn’t going to improve, even though more people are being issued even more tokens these days.

About 23 per cent of Singapore users have two such authentication devices, also known as two-factor authentication (2FA) devices, according to a survey released earlier this year.

Some 14 per cent had four devices, while less than one percent – one respondent out of 500 surveyed – had eight devices. The study, carried out from March to August this year by Assurity, also revealed that the main concern for those who had more than one device was carrying too many devices.

The company, a government-owned outfit set up two years ago , has an agenda, of course. It provides OneKey, a token that promises to unify all the tokens out there, by linking log-ins for banks, brokerages and even schools through one central point.

The promise, however, is a long way from being fulfilled, despite the initial lofty aims. So far, government services are yet to be connected via OneKey. Many simple transactions such as checking your CPF balance still require only a simple online password.

The bigger issue is the private sector, in particular, banks. The big local banks – DBS, OCBC and UOB – have all invested early in 2FA technology. They were pushed to do so by the monetary authorities after the high-profile hacking of several user accounts years ago.

As a result, they could be unwilling to join any national programme, such as OneKey, by ripping out what already works. They each issue their own tokens today.

Another reason could be branding. Anyone who has tried partnering a bank will tell you they always think a customer “belongs” to them. They won’t surrender any relationship with a customer by letting in a third party.

Together, that has meant that the universal token, as pushed by the Singapore government, has taken very slow steps in the past two years to make things more convenient for users.

Since December 2011, only 14 service providers have joined the OneKey programme. Banks number only two – RHB and ICICI – though the list also includes a number of securities trading firms, such as CIMB Securities and MayBank Kim Eng.

More encouragingly, the nationwide system has got traction in areas such as Ngee Ann Polytechnic. Here, users gain access to school resources by logging in with an OneKey token.

Well, at least the young are using an universal token. The hope is that they will demand for change from the current system, where you can be saddled by so many tokens you end up just giving up on things.

That will be the ultimate backlash against a technology that is meant to empower users and protect them from online fraud.

In the years ahead, these tokens will become more sophisticated too. This year, for example, new tokens sent to you have enabled you to “sign” or approve a sensitive transaction, such as a money transfer. In the past, you were just flashed a simple password to log in.

When the next technology upgrade is considered, you’d hope that banks here will think of moving to a universal token, instead of going it alone again. At least offer an option to users who prefer to log in via the nationwide system.

Not only does that save costs for banks, it could mean the difference between a customer actually using a token and throwing it in a corner to look for the cheque book instead.

One Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.