The Evolution of Two-Factor Authentication in Major U.S. Banks: Past, Present, and Future

The importance of enhanced security measures has become increasingly recognized as cyber threats continue to rise. However, the adoption of two-factor authentication (2FA) by major U.S. banks in 2017 was still not widespread due to a combination of factors including cost, complexity, user experience concerns, regulatory environment, market competition, and consumer awareness.

Cost and Complexity

Implementing 2FA involves significant costs and complexities for banks, including system upgrades, user training, and ongoing maintenance. Some banks may have prioritized other security measures or enhancements over 2FA. For example, a comprehensive risk assessment might have indicated that existing security protocols were sufficient, or other measures like improved encryption and better threat intelligence were more cost-effective.

User Experience Concerns

Banks often worry that additional security measures like 2FA could complicate the user experience, potentially leading to customer dissatisfaction or abandonment of online banking services. This concern comes into play when reducing friction is critical for user engagement and satisfaction. Online banking transactions, if complicated by 2FA, could be seen as cumbersome and time-consuming, leading to lower customer satisfaction and trust.

Regulatory Environment

The regulatory requirements for cybersecurity were evolving as the industry tried to keep pace with rapidly changing threats. Banks might have been waiting for clearer guidelines or mandates from regulatory bodies before implementing 2FA widely. This cautious approach allowed banks to avoid legal and financial repercussions, especially because compliance with varying standards can be challenging and costly.

Risk Assessment

Some banks may have assessed their existing security measures as sufficient, particularly if they had not experienced significant breaches or incidents. However, this assessment might not have taken into account the evolving threat landscape, leading to a slower rollout of 2FA. Banks might also have been focused on proactive measures like improving encryption, which might seem more immediately beneficial.

Market Competition

If some competitors were not offering 2FA, banks might have hesitated to adopt it for fear of losing customers to those who prioritized ease of access over security. This market competition factor can often drive banks to adapt and innovate to stay competitive. However, the balance between security and convenience can be challenging to strike, leading some banks to delay implementation.

Consumer Awareness

There was a general lack of awareness among consumers about the importance of 2FA. This reduced pressure on banks to implement it, as customers might not have been actively demanding more security measures. However, as cyber threats have become more prevalent and visible, consumer awareness has increased, putting pressure on banks to enhance their security protocols.

In general, changes to IT infrastructure do not occur overnight. It takes a significant amount of resources and time for a bank’s IT department to responsibly implement change. They require funding, planning, development, testing, and more. Despite these challenges, the importance of enhanced security measures has become increasingly recognized.

Current State and Future Trends

Now that it is 2019, you will see a majority of the large banks have 2FA in place. The security landscape has evolved, and consumer demand for enhanced security has grown. Banks are increasingly leveraging various methods to provide secure access to their e-banking sites.

Methods of 2FA

Many options exist to provide secure access to e-banking sites. Some banks use classical 2FA, such as smartcards with a PIN, which are not easy to deploy and can be expensive. Other big banks use standard user ID and password combined with what is known as MFA authentication. This can include device identification, ISP, browser type, and location checks. These methods are often passive, and the user might not even be aware of the device identification.

Some banks use risk-based authentication, where a one-time password (OTP) is sent to a phone or email address on record when a user tries to make a risky transaction, such as a wire transfer or address change. This method ensures that users receive a notification and can verify their identity before proceeding with the transaction.

Other banks use challenge questions under similar risky transaction situations. These questions are based on information available in public records, like the user's old street address where they lived. The goal is to verify the user's identity without adding too much inconvenience.

Some banks opt for non-technology approaches to manage risk, such as relying on cyber insurance. This method transfers the risk to an insurance provider, which can be cost-effective for banks that prefer not to implement 2FA.

In conclusion, the evolution of 2FA in major U.S. banks has been influenced by a complex interplay of factors, including cost, user experience, regulatory requirements, and competitive pressures. As technology advances and consumer awareness grows, the adoption of 2FA is likely to continue, ensuring that these banks remain at the forefront of cybersecurity.