Data security co Vasco says 2-factor authentication 'obsolete'

Nasdaq-listed Vasco Data Security has said the SMS-based two-factor authentication followed in the country is "obsolete" and banks need to move on to other technologies.
Banks are looking at the SMS-based two-factor authentication mandated by the RBI as nothing more than "a security tick box" and the system has become "obsolete", Vasco regional director for India and Asia Pacific Dan Dica told PTI here today.
The remarks come amid a debate domestically, wherein some quarters are blaming RBI for being too conservative for mandating the two-factor authentication to all online transactions. Citing global practices, they say RBI should make small-ticket transactions go on single-factor authentication.

Dica pointed to the practices of the Monetary Authority of Singapore which mandates two-factor authentication, both at the time of login as well as for doing transactions.
He also said there are various security hazards like SIM card-cloning which can lead to troubles for banks.
The alternatives, he said, are in hardware tokens which generate numbers without being connected to any network or use QR codes.

To maintain costs at low levels, and with the lower penetration of smart phones, Dica said there are solutions for low-cost feature phones as well and added that his company does not sell SMS-based applications.

It sells only the applications which are safer and has engagements with a majority of foreign lenders like Standard Chartered, HSBC and Citi, but the domestic banks which control over 95 per cent of the business, are yet to adopt it.
One of the reasons for this may be RBI's ambivalence on the issue, he said, but stressed that in Indonesia banks have proactively adopted safer solutions without it being mandated by the regulation.
The company has been operational here for the past eight years and has seen a 30 per cent annual growth, Dica said, declining to give his projections.