Dark Light

I am amused that the two personal accounts I use that have an option of two factor authentication are Paypal and World of Warcraft. Both of those use my phone (Paypal though a one-time code by SMS, Battle.net with an application).

Halifax recently upgraded their system. Now, instead of remembering a username, a password and two of five facts about myself, I have to remember a username, a password I type normally, and a password that they ask for random digits out of, as if that’s significantly different from another password. In fact, the new password can only contain letters and digits, and isn’t case sensitive, so it’s a secondary *less secure* password. In fact, with new Halifax banking accounts being designated a username consisting of their surname and some random numbers, it’s now basically three passwords you need to remember, plus where you went to school.

I wonder if they’ve invested in 3M’s thriving Post-It note business recently.

Recently I was setting up a business bank account with HSBC. That _does_ do two factor authentication by default, with a device they send you in the post. However, the password was restricted to a subset of punctuation on top of normal auth. Worryingly, they specifically banned percentage, at, quote and semicolon symbols.

Two factor auth is technically and socially difficult, and doesn’t solve all the problems either, but three passwords to remember is even worse than one.

  1. Could be worse. Direct Line use a username and a password that you have to enter a few random characters from, and nothing else (without a normal password).

  2. The reason for the secondary password isn’t for extra security. Assuming that Halifax are like most other banks (you have to choose the letters from a dropdown), it’s to stop you having your browser remember the password, which loads of people do.

  3. Which is true, but the system it replaced asked you two of six personal questions, which couldn’t be remembered by the browser anyway.

  4. I’ve always assumed that the “enter three letters” secondary password was to prevent keyloggers from harvesting it.

  5. You can select letters from a drop down by pressing keys in most browsers. So the keylogger thing is just fail-in-a-can.

  6. Lloyds use the system the Halifax has changed to. I guess they get to impose their model now they’ve bought HBOS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts