How We Classify Banks

[jamcat22]

Currently, we classify a number of banks as having 2FA, when they only require it for certain transactions, not for logging in to their website. My question is whether or not we should change any of the banks listed below to tfa: No, add an exception to each of them, or find a way to include a transactional flag on the website.

Below is a list of banks that do not currently fall under our definition of 2FA, despite having the tfa flag set to Yes. I'm curious as to how everyone feels we should handle these types of situations with these banks and any additional ones going forward.

• Barclays UK's PINSentry doesn't qualify for our definition of 2FA, as their website shows that it is only required for certain transactions.
• Citibank Australia's OTP doesn't qualify for our definition of 2FA, as it seems that they only require it for certain transactions. Their website says:
  
• Commonwealth Bank of Australia's NetCode doesn't qualify for our definition of 2FA, as their website states that it's only required for certain transactions.
• first direct's Secure Key doesn't qualify for our definition of 2FA, as it can be bypassed using a password to login. Their website says:
  
• HSBC's Secure Key doesn't qualify for our definition of 2FA, as their website shows how you can choose the "Without Secure Key" tab when logging in to bypass 2FA.
• Nationwide Building Society's card reader doesn't qualify for our definition of 2FA, as the it can be bypassed using a password to login. Their website says:

You can still log in with your memorable data and passnumber, but by using your card reader you may reduce the number of times it's needed to confirm your online transactions.

• Natwest's card reader doesn't qualify for our definition of 2FA, as they only require the card reader be used for certain transactions. In fact, their website specifically says:
  

• Santander's SMS-based OTP doesn't qualify for our definition of 2FA, as they only require an OTP for certain transactions. Their website says:
  

• State Bank of India's OTP application doesn't qualify for our definition of 2FA, as they only require an OTP for certain transactions.

[mxxcon]

Yup, I say all of these updated as tfa: no.
And perhaps add faq section that elaborates on differences between authentication and authorization?

[zD12]

You're right. These don't qualify as two-factor.

[jimsug]

I've had a look at the list of banks... seems very hit and miss, and the vast majority (but certainly not all) utilise some kind of step-up authentication and that we'll have a long, long list of banks that have this. I suspect that without further explanation, attempts to petition these banks to change it will fall on deaf ears. Their staff aren't trained on the difference, or why it matters (and they'll probably just say "we do use two-factor authentication".

Any thoughts on adding adding a stepup property? This would indicate that the service requires a second factor only for certain actions, and perhaps with a link to further information on the difference (this Quora answer actually does a decent job, IMO), and why two-factor authentication is preferable to this.

[indolering]

I disagree that not requiring 2FA in some scenarios "doesn't qualify as two factor":

• Allowing low risk actives without 2FA reduces user inconvenience and boosts adoption of 2FA. Not everyone has a hardware token on each machine and multiple backups. And even with those enabled, my GF complains about all the 2FA I have forced on her accounts.
• Requiring 2FA for high risk transactions could be used to create a finer grained security model, as malware (etc) can't perform arbitrary transactions after logging in.

2FA shouldn't just be an improved sudo command with arbitrary access to an entire system, it's better if we scope capabilities to specific tasks.

Mandating which tasks is tricky and probably best figured out by a standards body, not an ad-hoc site run by volunteers. That sort of granular detail is probably best expressed as a grading system, not a binary yes/no.

[mxxcon]

Perfect example of confusing authentication and authorization.