2FA (Two factor authentication) has been around from sometime in different forms - input code received by SMS, generated through apps, hardware keys etc. For those who are unaware, 2FA enabled accounts will require a second code generated through an alternative medium in addition to traditional password to login to (email)/transact (banking and finance) from the account.
It won't be an exaggeration if I state that most of us were introduced to 2FA by Google for Gmail. Google extended this facility to normal email users in early 2011 (was introduced to Google Apps customers in late 2010) to enable enhanced security. In the wake of several security breaches happening, we are of the opinion that it is very essential to have 2FA enabled for all your web-based accounts - email, social networking, finance, domain registrars etc. In this post we make efforts to write about different 2FA approaches offered by Indian banks - both private and public sector.
While SMS is by far the easiest available approach which majority of banks provide, frequent users know the trouble of not receiving one time password (OTP) on time to complete a transaction. Sometimes, situations arise where a particular service provider does not have mobile coverage but internet comes from a different service provider! In such situations, mobile applications come to rescue. Most of the times, mobile applications do not require data connection to be active except for first time activation of the service. Now let's see what major banks in India provide:
State Bank of India
- Internet banking customers after enabling 'High Security Settings' will receive SMS for performing every transaction (like funds transfer, virtual card creation etc.) from their account
- State Bank Secure (software token): A customer will have to apply for this facility through internet banking and collect the kit from the bank. Later with the help of an application to be installed on mobile phone, OTPs can be generated. No SMS OTPs hereafter.
- State Bank Freedom Application (only for IMPS transactions): SBI Freedom application can be used to generate OTPs for IMPS (Immediate Payment Service) transactions up to Rs. 50000. The one time code, if generated using IVR can be used for transactions only up to Rs. 5000.
- ICICI's i-safe application sends out SMS with OTP if it notices unusual activity in internet banking account. User can proceed further only by providing this OTP.
- When completing merchant transactions ICICI asks customers to key in random values present in grid behind the debit cards
- i-safe is also available as a mobile app which can be used in lieu of SMS. Note that once a user registers mobile application, ICICI stops sending OTP by SMS
HDFC has a facility termed 'Secure Access' which comes into the picture when you login to your internet banking. HDFC mandates enabling Secure Access for customers who require third party transfers and online shopping. An image chosen by customer along with a personal message works as a second factor in this process.
2FA facility by Axis Bank is branded Netsecure.
- Netsecure code can come through an SMS
- User can register frequently used computer(s) for Webpin which in turn can be used to receive Netsecure code. Registration can be done through net banking
- 1-Touch device: A device which costs Rs. 800 plus taxes (in common terms called a hardware token) can be used to generate Netsecure code
Several other banks provide similar options - SMS, software token or a hardware token. Normally hardware tokens are provided to corporate customers or business establishments. Common man should ideally opt for software tokens which can be run on mobile phones for reliable OTP generation. Along with banks Stock Brokers also offer 2FA facilities.
I would like to share my personal experience with Syndicate Bank here. Recently I applied for a software token from them and received a software token (a file) from them. Their instructions required me to use a Windows PC application to import the token and generate codes thereafter. Being a Linux user, this was impossible in my case! Luckily for me, I could identify their desktop application as the one from EMC Corporation called RSA SecurID. The application was also available for mobile phones. However, there was a catch there. I could not directly use the token provided by the bank for the mobile app. Fortunately EMC provided a token convertor with which I could make the token mobile compatible. With this arrangement, I could generate codes on my Android phone. Later I contacted the bank regarding this and after few days they wrote to me stating they have started providing tokens which can be used on mobile phones!
Note that all the 2FA methods/facilities mentioned above come free of cost from the banks. So opt for them and be assured about the safety of your hard earned money.
How many of you are already using 2FA for banking and since when? Share your experiences with us through comments.