Lots of buzz on the net about Blizzard (creators of World of Warcraft) offering a $6.50 two-factor authentication token for customers that want an extra layer of protection for their account. Yes, if you didn’t know account theft in WoW is on the rise! I commend Blizzard for taking this extra step to help protect their customers…sure two-factor authentication isn’t perfect, but regardless it’s a step in the right direction.
So why don’t more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it’s a cake walk…unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill…yes, the one that calls you to fix their computer…) will most likely be confused as how to use the device and that will be a call to the bank’s customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.
Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don’t see most banks or financial institutions going two-factor anytime soon.
This is pretty interesting – I have to wonder if other big MMORPGs like Age of Conan or even Second Life will start to do this. Virtual identities are big money now – glad to see Blizzard taking this seriously.
The PayPal token is part of VeriSign’s VIP Network, which means it can be used at sites other than PayPal. I use mine at eBay, AOL, and VeriSign’s OpenID site.
https://idprotect.verisign….
Now that the multiple token problem is solved, there’s no excuse for banks not to use two factor authentication.
I like the VeriSign solution…perhaps that is the start of a universal system that could be adopted by banks. Perhaps something like OpenID but with a more secure solution like transaction authentication that could be used universally. Read more about transaction authentication here:
http://www.cronto.com/visua…
I’ll be watching to see if other MMORPGs adopt a similar strategy. More importantly that if they adopt it, I’d like to see how they implement the solution — and if they employ something like the Verisign solution or opt to require everyone to carry an individual token — which I find to be a burden.
I was not aware of the Verisign solution; it certainly warrants a closer look. That said, given the conversations the banks and other institutions hold around this, I don’t consider it a "case closed" situation.
To be "case closed" it has to be truly interoperable, a documented standard and allow different parties to work as validators.
That said, I think OpenID holds promise. People tend to be myopic about openid — but since it allows hooks for authentication, it provides a promising mechanism.
Good discussion!