I recently sent the following letter to my bank.
I just took three tries to remember the answer you expect to your "security question". (Do you want the make of the car? The model? Both? "The car mom took back after that accident"?)
Two-factor authentication requires input from at least two of three categories: Something the user knows; Something the user has; and Something the user is.
Category 1 is my password, my mother's maiden name, and the recipient of my first kiss.
Category 2 is my driver's license, a
single-use key fob, an ATM card, or my phone.
Category 3 involves my appearance, voiceprint, fingerprint, or the pattern of retinal arteries on my right eye.
Your "security question" asks for a second item from category 1, so is not two-factor authentication. Asking for more than one item from one category is no more secure than just asking for a password, and it's greatly irritating to the legitimate users. Other banks have defended this as an "industry-standard" practice. "Industry-standard" or not, it's wrong. To paraphrase a question Mom used to ask me, if every bank jumped off a bridge, would you jump too?
Please remove the ineffective security question, and implement real two-factor authentication for online banking. (You already have effective two-factor authentication for in-person and ATM transactions.)
Yes, I would like a response, please; not a pro-forma apology and a promise of further consideration. I have real concerns regarding the security of my data.
References:
Federal Financial Institutions Examination Council standard for authentication
http://www.ffiec.gov/pdf/authentication_guidance.pdfIndustry article decrying fake two-factor authentication
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspxVendor of single-key generators
http://www.vasco.com/products/digipass/digipass_go_range/digipass_go6.aspx