However, that small inconvenience is not really something to be bothered by. Any hardware-based login solution will have that, and the yubikey’s fitting into something you have anyway for getting in to places (you keys) makes it very logical. What could have made it even better had been if you would have activated it using a key-like turn rather than the somewhat bland keypress that does not produce any kind of haptic feedback. But I can understand that a twisting design like that would be an order of magnitude more expensive to produce, and probably another order of magnitude less durable…

It is also striking how well this system works compared the incredibly clunky login and signing facilities used by ICA Banken. There, you have a piece of hardware which is way larger than a key, into which you slide your credit card. Then, to log into the bank and effect a payment of a bill, you do:

• Type in customer number
• Type in PIN code
• Put your card into the signing device
• Press “login”
• Copy 8 digit code from web page to device
• Type card PIN code into device
• Copy 9 digit code from device to web page
• … enter data for bills …
• Bring out the signing device again
• Insert card
• Press “sign”
• Copy 8 digit code from web page to device
• Type card PIN code into device
• Copy 9 digit code from device to web page

I really think the “sign” step adds no security in practice, and most other bank systems I use seem to agree with this: once past login, no need for additional confirmation. I think that makes sense, and that the sign stage is here more as a warm fuzzy feeling kind of thing.

If it wasn’t for the possible constraint that the ICA solution has to work on public computers where you have no access to USB ports, I think a yubikey-based solution would make all of the above so much easier. The genius of the yubikey is really that it removes the “type in numbers from hardware device” from the login steps, which really is something that there is little value to having each user do every time they effect some kind of secure operation. If all banks used a yubikey, I think the world would save many thousands of people hours that could be used to have fun, be with the family, and other more beneficial uses.

But for some reason, they do not enforce the use of security keys on their customers. Even when you have obtained a security key (which is optional, weirdly enough) and said you are using it, you can still login without it doing some additional security questions. For the reason of convenience! Which basically reduces the security added to nothing, since you can still login in a traditional fashion.

I am all for listening to the needs of customers, but sometimes you have to assume that you know better than your customer. And security for financial institutions is one area where the financial institution does know better than their customers. The very idea of letting someone get around two-factor authentication for convenience is just amazing to me. Even more amazing is the Bank-of-America login that apparently (from Leos comments in the podcast) do not even use any kind of hardware token for login. This is akin to having safety deposit boxes put in the waiting area in a bank and asking customers to just put their own padlock on them.

Every Internet-based bank where I have been a customer have done SOMETHING more than just a password. There have been little crypto dongles where you enter a challenge number and get a response, a card with one-time passwords, or a smart card reader that gets a one-time number from the chip on the smart card itself. Or a one-time password sent over SMS to register a certificate on a computer. Not all perfect solutions, but in all cases security has at least been considered and not just customer convenience.

For banks, you do not want access to be too simple. You want your money to be safe. And it is OK to make access a bit more complex than just user name and password.

I hope the argument is not cost-based. The cost of giving out hardware tokens should be minor compared to the cost of lost customer money. It is just part of what it means to be in business as a bank, you do have to pay for offices (or at least server rooms for an internet-only bank) and customer service.

I guess this is one more thing that falls in the category of “the US is a strange land”. Because I hear an undercurrent of “convenience is more important than anything” and a fear of losing customers if login is too complex. Which in this case has to be considered the wrong priority.