India Reserve Bank drops two-factor authentication

The Reserve Bank of India has removed two-factor authentication — involving the use of one-time passwords sent to mobile phones — for online card transactions up to Rs 2,000 (US$29), Live Mint reports. “Discarding two-factor authentication is an opt-in service, which means that customers will have to specifically opt for it.” The move follows the withdrawal of Rs 500 (US$7) and Rs 1,000 ($14) notes.

  • Willam Hugh Murray, CISSP

    “Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment.” –Robert H. Courtney, Jr. His First Law.

    While I am an advocate of strong authentication, requiring it to buy a hamburger is overkill. When I use my contactless card at McDonalds, McDonalds does not require a PIN.

    On the other hand, when I use a mobile banking app on my iPhone, the app inherits the strong authentication (possession of the phone and the phone PIN) from the phone. Therefore, the bank allows me to opt out of using a one-time password when banking from that device (which the knows.

    Note that, like most things about consumer strong authentication, whether