Secure Banking with Two Factor Authenticaton – Options in India

2FA (Two factor authentication) has been around from sometime in different forms – input code received by SMS, generated through apps, hardware keys etc. For those who are unaware, 2FA enabled accounts will require a second code generated through an alternative medium in addition to traditional password to login to (email)/transact (banking and finance) from the account.

secure-baking-india

It won’t be an exaggeration if I state that most of us were introduced to 2FA by Google for Gmail. Google extended this facility to normal email users in early 2011 (was introduced to Google Apps customers in late 2010) to enable enhanced security. In the wake of several security breaches happening, we are of the opinion that it is very essential to have 2FA enabled for all your web-based accounts – email, social networking, finance, domain registrars etc. In this post we make efforts to write about different 2FA approaches offered by Indian banks – both private and public sector.

While SMS is by far the easiest available approach which majority of banks provide, frequent users know the trouble of not receiving one time password (OTP) on time to complete a transaction. Sometimes, situations arise where a particular service provider does not have mobile coverage but internet comes from a different service provider! In such situations, mobile applications come to rescue. Most of the times, mobile applications do not require data connection to be active except for first time activation of the service. Now let’s see what major banks in India provide:

State Bank of India

  1. Internet banking customers after enabling ‘High Security Settings’ will receive SMS for performing every transaction (like funds transfer, virtual card creation etc.) from their account
  2. State Bank Secure (software token): A customer will have to apply for this facility through internet banking and collect the kit from the bank. Later with the help of an application to be installed on mobile phone, OTPs can be generated. No SMS OTPs hereafter.
  3. State Bank Freedom Application (only for IMPS transactions): SBI Freedom application can be used to generate OTPs for IMPS (Immediate Payment Service) transactions up to Rs. 50000. The one time code, if generated using IVR can be used for transactions only up to Rs. 5000.

ICICI Bank

  1. ICICI’s i-safe application sends out SMS with OTP if it notices unusual activity in internet banking account. User can proceed further only by providing this OTP.
  2. When completing merchant transactions ICICI asks customers to key in random values present in grid behind the debit cards
  3. i-safe is also available as a mobile app which can be used in lieu of SMS. Note that once a user registers mobile application, ICICI stops sending OTP by SMS

HDFC Bank

HDFC has a facility termed ‘Secure Access’ which comes into the picture when you login to your internet banking. HDFC mandates enabling Secure Access for customers who require third party transfers and online shopping. An image chosen by customer along with a personal message works as a second factor in this process.

Axis Bank

2FA facility by Axis Bank is branded Netsecure.

  1. Netsecure code can come through an SMS
  2. User can register frequently used computer(s) for Webpin which in turn can be used to receive Netsecure code. Registration can be done through net banking
  3. 1-Touch device: A device which costs Rs. 800 plus taxes (in common terms called a hardware token) can be used to generate Netsecure code

Several other banks provide similar options – SMS, software token or a hardware token. Normally hardware tokens are provided to corporate customers or business establishments. Common man should ideally opt for software tokens which can be run on mobile phones for reliable OTP generation. Along with banks Stock Brokers also offer 2FA facilities.

I would like to share my personal experience with Syndicate Bank here. Recently I applied for a software token from them and received a software token (a file) from them. Their instructions required me to use a Windows PC application to import the token and generate codes thereafter. Being a Linux user, this was impossible in my case! Luckily for me, I could identify their desktop application as the one from EMC Corporation called RSA SecurID. The application was also available for mobile phones. However, there was a catch there. I could not directly use the token provided by the bank for the mobile app. Fortunately EMC provided a token convertor with which I could make the token mobile compatible. With this arrangement, I could generate codes on my Android phone. Later I contacted the bank regarding this and after few days they wrote to me stating they have started providing tokens which can be used on mobile phones!

RSA_TokenNote that all the 2FA methods/facilities mentioned above come free of cost from the banks. So opt for them and be assured about the safety of your hard earned money.

How many of you are already using 2FA for banking and since when? Share your experiences with us through comments.

Leave a Comment

Your email address will not be published. Required fields are marked *

Current ye@r *

  • MASH February 22, 2014 9:57 pm

    im using syndicate bank at this moment,and i unable to conduct transaction in google play. Can i know how to overcome this problem? Thanku

  • Ganesh February 5, 2014 5:00 pm

    @Esmail
    I had no problem conducting transactions in Google play with my ICICI Visa Debit card! I’ve been using it for years now! I have enabled VBV on that card. In fact without enabling VBV you can’t perform an online transaction!

    @Saurabh
    ICICI doesn’t provide with debit card/netbaking kit for retail customers! Only for corporate customers like salary deduction etc ICICI will give the entire starter kit (with netbaking / PIN/debit card) as a package while joining. And in those debit cards, they won’t have your name printed on them.

  • Pritam January 16, 2014 3:32 pm

    Union Bank of India also offers 2FA (Two Factor Authentication). But it costs Rs. 150/- per activation

  • Esmail January 14, 2014 10:08 pm

    The thing that concerns me the most is the 3D secure mandate for use of Debit cards for online transactions, for Visa card users this is known as Verified by Visa (VBV) this is only done by Indian banks to prevent unauthorised use of Debit card for online transactions, but now we have International app stores like Apple app store or Google play who do not have a provision for this extra layer of security and when we try and add a debit card as payment method it gets rejected displaying an error message, this issue is thankfully not there for Credit cards, but then again how many people have Credit cards? Either Apple and Google or the Indian Debit card issuing banks should find a solution to this.

    • Shuvam January 15, 2014 1:26 am

      I have had exactly the same problem which forced me to apply for a credit card. There must be a fix to this issue!

    • rz January 15, 2014 11:06 am

      I am using icici bank debit card on Google play store. Basic debit card, no gold, no platinum. You should try with it.

      • Esmail January 15, 2014 4:08 pm

        I have heard this thing about ICICI debit card working, which is why I have opened an account with them last week, waiting for the debit card to arrive I guess it should reach me by tomorrow. Also can you please clarify if you have registered your card with verified by visa and does it still work the same after the registration?

        • Saurabh January 15, 2014 8:15 pm

          @Esmail, I also have ICICI bank account and it is the only account I have from 6-7 years and I just love this bank as they have tie-up with most merchants and almost everyone. I don’t know why your debit card will take time to reach as since 2008, ICICI is providing kits that include debit card, PIN and Internet Banking ID and passwords at the time you open an account. These kits are provided instantly to the customers. Well once your debit card reaches you, you can visit ICICI Bank’s VBV page to register for 3D secure. I hope you have provided your mobile number as they send a OTP i.e One Time Password for verification.

          Also you can use your normal debit card on all App Stores like Google Play or Apple without any worry. The thing is they don’t ask for 3D secure code as that layer is absent with foreign merchants. But the bad thing you will face with Apple iTunes when you add your debit card is the authorization charge of $1 which Apple deducts to authorize the card which is later being refunded to customer in 10 days in their accounts. So when you add your debit card they will deduct amount equivalent to $1 which can vary according to forex rates and you will see this deduction in your Internet Banking account. But later it will be refunded. If you remove and re-enter the same card details, you get charge again. I faced this before. I thought they cheated me but they have this process. :)

          • Chethan S January 15, 2014 8:23 pm

            Recently they have changed the procedure. Now like SBI (even they used to issue everything in welcome kit till few years ago), debit card, cheque book etc. reach your home address by speed post or courier.

          • Esmail January 16, 2014 12:41 am

            They offered me an instant kit but I opted for getting one mailed to me later because I prefer my name to be printed on the debit card and cheque book :) The instant kits lack that touch of personalisation.

          • Esmail January 16, 2014 12:47 am

            Google play also deducts Rs.50 while adding the card and refunds it within 7 mins, Apple deducts 1$ which I never noticed being refunded the last time, now that u say it takes 10 days, that might explain why I must have missed it in my account statement, even I thought they had cheated me :P

  • Nirmal January 14, 2014 9:49 pm

    Use Bank Of India Startoken 2FA secure system. It is a VPN based security having servers in mumbai that is owned by BOI headquarters only.tremendous security with hassle free transaction. BOI netbanking also got the best internet banking award from the government. google the news.

  • Jonny January 14, 2014 8:45 pm

    What is hardware keys authentication ??

  • Susanta January 14, 2014 8:11 pm

    Which one is secure in online payment through ONLINE NET BANKING or PAYMENT THROUGH ATM cum DEBIT CARD.

    Actually I am using two SBI A/C for payment One is ATM cum Debit card and another online NET BANKING. Generally when I payment by ATM for online shopping I never received any verification SMS in my mobile… But Payment in Net Banking always receive a SMS for verification for transaction…

    • Chethan S January 14, 2014 8:19 pm

      Both options are secure – net banking and debit card. In case of debit card your transactions are authenticated with a password which you set for your card (Verified by Visa). In the case of some banks (ICICI etc.), card based transactions also require OTP. You can also try out Virtual Debit Card option available in SBI net banking. This is by far the most secure option.

    • Saurabh January 15, 2014 8:05 pm

      From my point of view, Internet Banking is way better than use of debit card though I too use my ICICI debit card for online transaction and it is registered with VBV since it was introduced. But when you enter debit card details, the third party website don’t redirect you to bank website to enter details unlike in Internet Banking. So our details are shared with that website though they can’t access 3D secure info as it needs to be entered on bank’s or Verified by VISA page only. But if you make payment via Internet Banking you are entering details on bank’s website only. ICICI also provide extra layer of security in Internet Bsnking system in name of GRID VALUES which are written behind debit cards from A to P having numerical values assigned with each alphabet. At time of transaction you are asked to enter numbers assigned with the alphabets shown. So from my view, IB is more secure than Debit Card though both are secure if you use them safely. :)

    • Colonel Zaysen January 16, 2014 3:21 pm

      Susanta,

      With respect to Chethan S & Saurabh’s reply I add wherever Net Banking Option is Available in the List of Banks use net banking first. If your bank is not listed, like, mine is not listed in PAY TM or IRCTC then opt for Visa/Master Debit Card. However one word of caution ! Never keep heavy cash in Savings Bank Accounts Idle as it can be siphoned off by anyone in which net banking Debit cards are activated. Just keep enough to pay bills and other utilities. I never keep more than 5k in my savings accounts.

      SMS Alerts come on both form of payments made either via Net Banking or via Debit Card.