I recently wrote about two-factor authentication (2FA) as an important tool for protecting your accounts. It’s not difficult to set up and is very useful where it’s available. The kind of 2FA I described is available on PayPal, for example, and if you use that payment system adding 2FA would help protect your financial accounts. There are two questions you need to answer:
Let’s take those in reverse order to better explain the issue. Very simply, not all accounts offer the type of 2FA I described in the earlier article. Here’s a detailed article that explains how to use 2FA on many of the larger social media and e-commerce platforms. Noticeably absent from that list are most banks and other financial service firms.
Here’s another, more detailed listing of firms that offer additional authentication for their accounts, banks being one category. However, there is something very important about the second list. It includes many types of authentication, not only software tokens like Authy and hardware tokens like Yubikey that I described in the earlier article. Instead, many of them use SMS (text messages) or phone calls. Those are less safe than a separate authenticator (software or hardware token). The reason? If you are already logged into the account you can request the needed code by text or by telephone—no need to give a second piece of information. That’s good protection against automated attacks, but it is no protection against a human actor who already has your data.
Many large banks have built their own proprietary security systems. Many smaller banks use a specialized financial services platform to provide security. Whichever way they do it banks are very concerned about providing what we marketers call “good customer experience.” Put more crassly, financial services can often be complex and confusing. Not asking customers to take an extra step at sign in may be seen as one way to simplify the experience.
It is also true that banks and other financial services firms use many automated security services behind the scenes to protect the safety of customers’ assets and transactions. You would be well advised to read the Security page of each of your financial services accounts and see if you feel satisfied. Then take advantage of the additional steps that are offered, whether it is additional authentication or, more likely, alerts about any type of suspicious activity in your accounts.
Now that you know that this protection is going to take a little effort, we can deal with the first question. I would suggest a three-tiered approach:
It’s too bad that this is not simple—one type of authentication for all your important accounts. Unfortunately, it is not. However, once you understand the principles it is easy and well worth the effort.
Always remember that a password manager is still the best overall protection for your account credentials. Then carefully consider which of your accounts are important enough to warrant additional protection. That’s a good compromise between ease of use and strong protection.