Mobile Banking & Authentication #BadUX: And The Winner Is…


Strong authentication, as we know, must be implemented as a compromise between security and user convenience. This holds for any kind of service, but this is particularly true for mobile, consumer-facing services, because both the mobile device and the large, not tech-savvy audience, introduce specific UX (user experience) requirements. Mobile banking should therefore see ideal implementations of strong authentication. But apparently, something went wrong…

Living with the legacy of e-banking authentication

Banks have generalized the use of mobile phones for authentication around 2007-10, usually as a consequence of regulations about online payment security that required a dynamic authentication. As most retail customers had at least a basic phone, “SMS-OTP” – random codes sent in a short-text message used to confirm a transaction – were seen by most banks as a convenient, secure, and inexpensive way of becoming compliant (SMS-OTP fell short of meeting all 3 expectations, of course, but that’s another story – or post…).

“Soft-tokens” – mobile Apps generating one-time authentication codes – were also rolled out here and there, but never generalized, probably for bad timing reasons: by the time compatible phones were widely available, App banking had already taken off, so banks would never be able to explain to their customers why 2 Apps were required.

Nevertheless, in a way or another, mobile phone has become a widely successful out-of-band second factor in e-banking. Then came m-banking…

Initially m-banking operations were very restricted, because there was no good way to secure sensitive operations: it’s really painful to enroll users in a strong authentication solution, such a solution was already in place, and it had been “designed” (!) for e-banking only. Ironically, banks that had deployed old-style key-chain tokens had a slight advantage in securing m-banking. Those having deployed CAP (Chip Authentication Program) were completely left behind – don’t laugh, some banks still signed up for CAP as late as 2011! (by which you may have guessed that I was living in France at that time…)

M-banking authentication era

Like it or not, authentication for m-banking era can’t be out-of-band. Using key-chain tokens to keep a smell of a separate device doesn’t make any sense as it doesn’t protect from phishing or malwares, so there are really no valid out-of-band options.

in-App authentication has been proposed as the m-banking authentication mechanism. For example, inWebo proposed a SMS-free in-App authentication concept as early as 2010, and released a security-certified product as an SDK in 2012.

in-App authentication makes m-banking security really convenient, as 2FA can be completely hidden to users – the same way in-browser 2FA does it for web sites. But that’s the theory. In practical terms, banks still struggle to make 2FA – and security in general – a seamless experience.

Just one example with … a well-known global bank. I see no need to expose this bank to public irony – first because I’m not sure this post would reach executive ears and ultimately make customers’ life easier; second because one would get the impression by contrast that other banks are performing much better: actually, there’s no winner! Let’s mention that it’s not a 2010 example as you would think, but the brand new, just released, 2013 in-App 2FA enrollment process! So here’s what you have to do, take a deep breath:

  • sign in to your online account from a web browser
  • create a secrete question and answer – you know, something like “what is the last book you have read?” (you’re not required to rate that book though)
  • download the mobile App
  • enter your credentials and the answer to the secrete question
  • define a password in your online account
  • enter it in the mobile App
  • obtain a first activation code from your online account
  • enter it in the mobile App
  • receive a second activation code by SMS, email or post (yes, post!)
  • enter it in the mobile App
  • define your PIN in the mobile App
  • you’re all set!!!

Half-way reading this list, most of you have probably checked if, by any chance, this post hadn’t been written on April 1st. But unfortunately, it’s not a joke!

However, the exact reason why it’s so f… weird and complex is an open question I address to the audience. I have a few tentative explanations in mind: a) the process was reviewed at all hierarchical levels, each one adding a step, b) they stopped adding steps when they couldn’t figure out additional ones, c) some pre-Millenial consultant suggested that the more steps, the more secure customers would feel.

That last one is probably true. If there are any customer left…