In the year 2005, the Federal Financial Institutions Examination Council issued a guideline entitled Authentication in an Internet Banking Environment.

[ffiec.gov...]

The idea behind Two-Factor authentication isn’t too complicated. Simply (1) verify that a user knows something, and (2) verify that he physically has something. This could be done with a (1) name and password, and (2) one of those key fob things or even a print-out of one-time use codes.

Too be honest this is the first time I have heard of ANY bank implementing it. I am really excited to hear this is in play now.

Most banks, aren’t too happy with the requirement of implementing such 'costly' changes and instead chose to invent the "Wish-It-Was Two-Factor" authentication. In this method of authentication, they (1) verify that a user knows something, and (1, again) verify that a user knows something else.

Users are asked to pick from all sorts of different 'secret questions,' ranging from 'In what city is your vacation home?' to 'What is your second-favorite post-modernistic European novel?' if they’re lucky, users can actually remember what answers they gave and figure out exactly how they typed them in.

A recent study reported that 96% of U.S. banks are failing to implement the recommended Two-Factor authentication, opting instead for 'authentication methods that solicit confidential information from consumers.'

Glad to hear you bank with the one of the 4% who chose to do it right.

[edited by: Demaestro at 7:29 pm (utc) on Nov. 13, 2007]

Commerce Bank uses a four digit pin and the client's Social Security number for online banking - that has to be the most pathetic/insecure setup of any major bank.

CitiBank's be using key fobs for over a year I think, and PayPal implemented it several months ago, although neither absolutely require it. Citibank allows you to review your account, but not change information or wire money, without the fob key code, PayPal allows you to fully access your account without it (when you logon you can instead enter other security questions, or change your settings to bypass the fob key code after you logon).

anyone else got one

I have one, got it ages ago. It works ok, stick card in, press button, enter pin, enter code on website.

The only thing I find annoying is that I actually have to go and get my card when I want to log on.

You don't have to use it for setting up new payments yet I don't think.

Pin Sentry is a badly thought out nightmare.

I have to use it on my Barclays UK account, as 21 days after they send you the device (unsolicited) you are locked out of an online account unless you use it.

My wife and I use it on a joint account. Between us we have 6 various Barclays credit cards. Pin Sentry for, reasons unknown, only works on one of these cards.

It has to be a Barclays Debit Card (again for reasons unknown). But it will not work on Spanish Barcalys Debit card (again for reasons unknown). It will not work on the credit card for the account we are trying to access. The only one of the 6 cards we have that gets us into the joint account is a debit card in my wifes name, on a completely different account.

Barclays line management cannot explain the eccentricities of their system, as the department that sent out the PinSentry devices, never bothered to tell line managers what they were doing, and did not sent managers their own PinSentrys to try.

Result was for a couple of days I was locked out of the account, until we found out which card to use. The so called Barclays help line (in India) was rude and unhelpful. Our own UK branch had to call India to try to find out how we could access it.

I should add that we can access a Barclays International account and a Barclays Spain account without PinSentry.

In Germany we get sent a sheet of numbered "TAN" codes, and the system selects one at random to be inputted before any transaction is carried out. Seems to work quite well and doesn't involve any gizmos (which would be a pain take with me on trips, esp. for multiple accounts).