Bank of America has decided to implement two factor authentication on their website when doing specific things like adding a remote account to transfer money to, or when doing a wire transfer (basically anything where money is going to leave the account). So far this sounds like an excellent plan. The second factor is that when I want to send money to another account or send a wire transfer they’ll send me a text message and I then enter the one time use code they text me into the website.
All this sounds perfect (except for if I’m out of the country and I can’t get their text messages), except for one little issue.
Adding a new cell phone to send a text message to is as simple as just logging onto the bank’s webpage. Once I log into the site I can simply add another cell phone, verify that I have the cell phone via a text message and then I can use that cell phone to approve any wire transfers. All very convenient. The problem is that is someone else figures out my username and password for the website they to can add a cell phone to my bank account, approve it for use, then start sending wire transfers off all my money to their account.
So while Bank of America has two factor authentication, the second factor is dependent on knowing the first factor. For this to be actually useful two factor authentication it would need to require that I go into a branch with my ID to prove that I’m me and that I can add the phone as a two factor authentication phone. Additionally they should be using as an option one of the phone application based two factor authentication processes so that if I have several phones I can just use the one application, or if I’m not in the country I can still manage my money (which has been a problem a couple of times).
While I applaud the effort that Bank of America has put into having two factor authentication, doing it correctly would be a lot more useful. As currently you have one factor authentication with an annoyance.