In today’s digital landscape, two-factor authentication (2FA) is a crucial security measure. Yet, many banks and financial institutions still rely on SMS and email for this purpose, despite their known vulnerabilities. Here’s why some of these institutions haven’t fully embraced more secure options like TOTP (Time-based One-Time Password) or FIDO2 hardware keys.
1. The Friction Factor
One major hurdle is the customer experience. Institutions often use SMS and email for 2FA because these methods are accessible to a broad user base, including those who may not be tech-savvy. Implementing more advanced options like TOTP or FIDO2 can create additional friction, potentially alienating less tech-inclined customers.
2. Cost Considerations
Although SMS and voice 2FA incur per-message or per-call charges, many institutions opt for these methods due to their immediate availability and ease of integration. However, supporting TOTP and FIDO2 could reduce long-term costs since these methods don’t involve ongoing transaction fees. Yet, the initial setup and customer education for these more secure options can be costly.
3. Regulatory and Compliance Challenges
Financial institutions must navigate a maze of regulations. While TOTP and FIDO2 are increasingly recognized for their security benefits, the process of updating compliance standards and integrating new technologies can be daunting.
In conclusion, the shift from SMS and email to more secure 2FA methods is more than just a technical upgrade—it’s a complex decision influenced by cost, user experience, and regulatory requirements. As customer demand and technological advancements push institutions towards better security, we might see a gradual but significant shift in how 2FA is implemented across the financial sector.
