Poor security practices [of 3rd parties]

@numpty I’m not sure I completely agree with your perspective and I disagree with your math.

As for the 49 positions, it seems to me that this is to increase the total number of possible cards and reduce the likelihood of duplication. I'm sure it also helps mitigate the risk of a replay attack. However, unless my math is wrong, it does not play a role in calculating the number of permutations.

I’ll be conservative and assume that the requested characters are taken from a pool of 36 (10 digits and 26 lower case letters). The number of permutations would be 36³ = 46656 (15.5 bits of entropy). If the card includes both uppercase and lowercase letters as well as digits, it becomes 62³ = 238328 permutations (17.9 bits of entropy). In NIST Special Publication 800-63 "Electronic Authentication Guideline", they explicitly state that a 3-character password chosen randomly from "the 94 printable ISO characters on a typical keyboard" has an entropy of 19.8 bits. So the security depends mostly on the richness of the character set in use and has almost nothing to do with the dimensions of the matrix.

Let’s compare with a six-digit TOTP: a six-digit number has 10⁶ permutations (20 bits of entropy). So this is very close to the 94-character possible variant of the printed card.

The big advantage of the plastic card is that it is a challenge-response mechanism. Each prompt would request a different sequence of characters. If you guess wrong, the system would prompt for a new sequence. It essentially expires immediately upon use, whereas Time-based OTP is typically valid for a 30-second interval. Presumably, if a client had someone brute forcing their second factor, the system would disable the account and require the client to visit a branch to provide ID and change the password.

The card also has the real-world advantages of being cheap to produce and easy to replace. Plus, it doesn’t require clock synchronization, doesn’t need a battery, and is impossible to hack into. The real-world disadvantage is that for online registration, the user must wait to receive the card via mail (or courier) before being able to start using 2FA, so it would not be very practical for this purpose.

IMHO, it is a reasonably good safeguard... with its own set of trade-offs.

Agreed. I’m seeing slow 2FA adoption in Canada. My bank is rolling out SMS 2FA now. Previously, their so-called 2FA was password and stored cookie. If you tried to login from a new location, you would be required to answer one of your security questions. So in reality, this boils down to something I know and something I know, which is still 1FA. So, SMS 2FA is a big improvement, but we’re still very far from where we want to be. I suppose that the banks’ challenge is how to deal with customers without smart phones.

In contrast, a coworker who emigrated from The Netherlands had a USB token to establish the second factor. I felt very backward when I saw how advanced the systems were in Europe. Frankly, I think the banks make enough money off of us that they can afford one of these per customer without batting an eye.

@brenty,

Huh. I never would have even thought to consider that as two-factor authentication. But maybe some banks do. It's something I think all of mine use. Just never imagined it might be presented that way.

In principle, it sounds good. Having the cookie, in theory, means having possession of my laptop/phone/device. The thing that really makes it flawed is the fallback authentication to security questions (a dictionary word password with a hint). To be fair, I'm not sure that position was ever, strictly speaking, official policy; it was a response from a service representative to a question about 2FA on their Q&A forum. It appears that the original post has since been taken down... and replaced with a lot of hype about "Two-Step Authentication" (which is just SMS 2FA, sigh). I suppose it just means that the onus is on the customer to ensure that they have a good, strong, unique password and to protect it well.

Yes, cookies are weak authentication. Security questions are weak authentication. SMS Two-Step is fair, by comparison, but still weak. But this is my bank. When they are leaving me with what amounts to 1 factor authentication, they are placing the burden on me to ensure it's a darn good one. And that's not right.

Mind you, I'm old enough to remember these things called "cheques" where an ink scribble was sufficient "authentication" to withdraw money from my account. :p

I'm afraid I've committed the cardinal sin of highjacking @numpty's thread. Oops. Sorry.

In principal, it sounds good.

I realized too late that it should have been "In principle", and I have insufficient privileges to go back and edit it.