Singapore Government
consumer portal banner
contact us Contact Info | sitemap Sitemap

Search
 
Share Your Views

What type of MoneySENSE activities do you want to see more of?
 
Consumer guides
 
Talks / Seminars
 
Newspaper columns, TV / radio programmes
 
Online learning tools
 


17/12/2004

 

Home > Publications > Quick Tips


Understanding Two-Factor Authentication

Introduction

In recent years, Internet banking has seen a huge increase in its users. Banking customers regularly log into banks’ website to access their accounts to conduct a wide range of banking transactions. However, the popularity and easy accessibility of Internet banking have also attracted growing security threats. To further enhance security of Internet banking banks have implemented two-factor authentication (2FA) system at login for all types of Internet banking systems. In this article, MoneySENSE answers some of the more common questions on 2FA and provides tips on using your 2FA token.

What is 2FA?

The common implementation of 2FA requires you to provide two components to identify yourself to a system or service:

i) something you know eg. PINs or password

ii) something you have eg. a 2FA token

2FA differs from traditional authentication method which only requires a single factor such as a password to gain access to a system. The 2FA token could be a hardware device or software module installed in your mobile phone.

Each time you wish to log into a bank’s website and perform online transactions, your 2FA token will generate a One-Time Password (OTP). The OTP is usually a string of numeric or alphanumeric characters which you will have to key into the system before you can perform your transactions. The OTP can also be delivered to you via SMS.

For security reasons, the OTP is usually valid only for a short period of time, after which you will have to obtain a new OTP.

Why is 2FA important?

2FA is an effective method of countering hacking attacks and identity theft. This is important in light of the growing lists of hacking threats and exploits. Direct attacks on banking systems and customer PINs have become increasingly widespread. Phishing, fake websites, spamming, viruses, worms, trojans, keystroke loggers and spyware are some of the threats that customers have to grapple with when using internet banking.

What are some of the different types of 2FA tokens available?

2FA tokens are available in different forms, including:

i) Hardware token

ii) SMS method of receiving the OTP

iii) Special software installed in mobile phones

iv) Smartcard

The table below summarises the features of each type of token commonly deployed by banks in Singapore.

 

 How does it work?

Advantages  

 Disadvantages
Hardware token
  • The hardware token is a key-chain size physical device capable of generating OTP - Each time you log in, press the button on the hardware token. The OTP will then be generated and displayed on the screen.
  • The token can be used both locally and overseas.
  • Users need to replace the hardware token once its battery runs out. - You have to carry a separate device
SMS method of receiving the OTP
  • A SMS containing your OTP will be sent to the mobile phone registered with your bank whenever you log in with your user ID and PIN.
  • Your mobile phone can be used to receive the OTP. There is no need to carry a separate device.
  • You have to register your mobile phone number with your bank.
  • You need to inform the bank if there is a change in your mobile number.
  • Transmission of OTP is dependent on mobile network service. The transmission may be slightly delayed if there is high mobile network traffic.
  • You may incur additional charges if you wish to log in overseas. The charges depend on your mobile operator/plan).
Mobile software token
  • A software for generating OTP is installed in your mobile phone.
  • Your mobile phone can be used to generate the OTP. There is no need to carry a separate device.
  • The mobile token can be used both locally and overseas.
  •  As the software is installed in your mobile phone, you will need to reinstall the software every time you change your mobile phone.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note that a bank may not offer all three types of 2FA tokens. You may wish to check with your bank what types of tokens they offer.

Can I change my 2FA token type after I have made a selection?

Banks which offer more than one 2FA token type would usually allow customers to switch from one type of token to another, subject to the banks’ terms and conditions. To change a token, customers may be required to submit a form to the bank. However, do note that some banks only offer one type of token to their customers and switching is thus not applicable.

Can I have more than one 2FA token for each internet banking account?

As each 2FA token is uniquely assigned to your internet banking account, you cannot have more than one of the same type of token for each account.

What if my 2FA token is stolen / misplaced / damaged?

Notify your bank immediately if you lose your token. Note that the bank may impose charges for replacing the token. You may wish to refer to your bank’s website for information about the charges involved in replacing your token.

Tips on safeguarding your 2FA token:

i) Keep your 2FA token in a safe place.

ii) Do not allow anyone to use or keep your 2FA token.

iii) Do not disclose the one time passwords displayed by your 2FA token to anyone.

iv) Do not reveal the serial number of your 2FA token to anyone.

v) Do not allow anyone to access or tamper with your 2FA token. 

 

 
Last modified on 15/5/2008  
 Privacy Statement | Terms of Use | Rate This Site © 2008, Monetary Authority of Singapore