Understanding Two-Factor Authentication and Transaction Signing


What is two-factor authentication (sometimes referred to as 2FA)?

Banks require two-factor authentication at login for all types of internet banking systems. This means you have to identify yourself to a system or service by providing:

  1. Something you know e.g. PINs or password; and
  2. Something you have e.g. a two-factor authentication token.

Each time you log into a bank’s website to perform online transactions, you will be required to identify yourself by providing a PIN and a One-Time Password (OTP) generated from a two-factor authentication token. The OTP is usually a string of numbers (numeric) or combination of alphabets and numbers (alphanumeric) characters which you have to key in before you can perform your transactions. For security reasons, the password is usually valid only for a short period of time, after which you will have to obtain a new one.

Why is two-factor authentication (2FA) important?

Attacks on banking systems and customer PCs have become increasingly widespread. Phishing, vishing, fake websites, spamming, viruses, worms, trojans, keystroke loggers and spyware are some of the threats that customers may face. Two-factor authentication helps to counter hacking attacks and identity theft.

What are the different types of two-factor authentication (2FA) tokens available?

Two-factor authentication tokens are available in different forms. Here are the features of tokens commonly used by banks in Singapore:

  How does it work?  Advantages Disadvantages
Hardware token 
  • This is a key-chain size token which generates One Time Passwords. Each time you log in, press the button on the hardware token to generate the One-Time Password. This will be displayed on the screen.
  • A hardware token with advanced digital signing capability comes with a key pad. Instructions to use the digital signing capability will be provided by your bank.
  • The token can be used both locally and overseas.
  • The hardware token with advanced digital signing capability can be used to digitally “sign” transactions to protect the authenticity of online transactions.
  • It’s a separate device.
  • Users need to replace the hardware token once its battery runs out (usually every 5-7 years).
Using SMS to receive One Time Password An SMS containing your password will be sent to the mobile phone number registered with your bank whenever you log in with your user ID and PIN. You receive the password via your mobile phone. There is no need to carry a separate device.
  • You have to register your mobile phone number with your bank and update the bank if there are changes.
  • Transmission of the password is dependent on the mobile network service. There may be delays if there is high mobile network traffic.
  • You may incur additional charges if you log in overseas. The charges depend on your mobile operator/plan.
  • In addition, an SMS one time password does not allow you to digitally “sign” a transaction.

Can you change your two-factor authentication (2FA) token type after you have made a selection?

Banks which offer more than one type of two-factor authentication solutions may allow customers to switch from one solution to another. But some banks only offer one solution to their customers and switching is not possible.

Can you have more than one two-factor authentication (2FA) token for each internet banking account?

As each two factor authentication token is uniquely assigned to your internet banking account, you cannot have more than one of the same type of token for each account.

What if your two-factor authentication (2FA) token is stolen, misplaced or damaged?

Notify your bank immediately if you lose your token. Note that the bank may impose charges for token replacement.

What is transaction signing?

Transaction signing requires customers to digitally “sign” transactions that are deemed high risk. It is used to verify the authenticity and integrity of an online transaction. Examples of online transactions that may be deemed high risk include making high value fund transfers or changing customer’s details online.

You will be requested to confirm the online transaction you are about to perform by entering a dynamic PIN. This dynamic PIN is generated when a customer inputs information specific to a transaction, such as an account number or a transaction amount, into a device.

Why is it necessary to perform transaction signing?

Transaction signing is an effective method used to detect interception and modification of your online transaction from malware or, viruses employing “man-in-the-middle” types of attack.
Tips on safeguarding your two-factor authentication (2FA) token:

  • Keep your token in a safe place.
  • Do not allow anyone to use or keep your token.
  • Do not disclose the one time passwords displayed by your token.
  • Do not reveal the serial number of your token.
  • Do not allow anyone to access or tamper with your 2FA token.
  • Do not write down your user ID and PIN on the token.

 

The above information is prepared in collaboration with the Association of Banks in Singapore.