Single factor authentication (usually with "something you know", usually a password) is not particularly secure.
In banking, it is common to use two-factor authentication methods with "something you know" and "something you have", usually a combination of a plastic card and a PIN that you know. Older forms of online banking use TAN lists, and "something you have" is the paper list. Theoretically, you could argue that a TAN is something you can know, but in practice no one maintains a list of 100 TANs associated with their serial number in the head.
Recent online banking operations are based on the fact that most people own a smartphone and use the smartphone as "something you have". Benny Skogberg described one way to do this. My bank lets me register a cell phone number with them and then sends an mTAN valid for a single transaction to this number via SMS. This can be safer than a single factor, but is not foolproof.
The problem is as old as security itself: two factors are always more problematic than a single factor and ease of use is less. A single factor is not particularly secure and is often interrupted if the thief has the right motivation (e.g. access to a bank account or a celebrity's inbox). There are hundreds of ways to implement proper two-factor security, and most of them have the same ease of use as your online password-plus-TAN paper list. No variation for mobile devices can be more user-friendly and still remain secure by definition, since two factors apply:
- You need a physical item that cannot be duplicated. You need to have it with you whenever you want access.
- You need immense information with high entropy AND it must not be noted or stored near your physical object.
So you always have to either deal with the cognitive effort of remembering a long password, or carry an encrypted note with you on a note pad that is different from the one you use as a "I have something" factor. Both versions are characterized by low user friendliness and high security.
Examples of the uncertainty of modern fast two-factor systems:
It becomes a factor when the phone's browser stores passwords, which is the default, or when there is a banking app that does not require a PIN when starting a registered phone (which may be the case in Benny Skroberg's example ) don't get this detail). Imagine a thief stealing my phone, unlocking it by looking at the stains my finger left on the touchscreen, and launching the browser. If my online banking website is in the history and the password is saved, the mTAN is sent to the phone that the thief is holding.
In Germany there were cases in the past year in which fraudsters requested a second SIM card with the same phone number from the victim's mobile operator and had it delivered to their own address. You could then conduct online banking through the victim's account and use a phone with this second SIM card as a "something I have" factor (the password was shared with you through phishing, trojans and other common methods). This works because the mobile operator would accept a faxed request for a second SIM card without ensuring that it came from the legal owner of the wireless contract. Nothing was reimbursed to the victims because the bank said the mobile operator was responsible and the mobile operator said the bank was responsible.
Incidentally, the old TAN-on-paper system would not be secure for cell phones either, because if you have a list of TANs in your wallet, there is a high probability that anyone who steals your phone will also get your wallet.
So sad, if you want something reasonably safe, you have to give up a lot of usability. The banks seem ready to compromise on security instead.
Complemental description: There are actually three possible factors, not two. The third is "something you are". Although it is considered safer because it cannot be reproduced as "something you know", there are no commercially viable methods for use in automated environments with today's technology. Some solutions have been wasted as a niche technology for years and may still spread once they are mature and gain wide acceptance, as was the case with tablet computers. For example, I saw fingerprint readers in the wild. Not only are they expensive, they are also not precise enough. Face detection systems are notorious for false positives (hold a printed photo of your victim in front of the camera) as well as false negatives (imagine you wake up with a face swollen from a root canal infection and are unable to log into the highly secure system) – Because your healthcare provider's data protection system). Voice fingerprint technologies are also easy to mislead with records and refuse to enter if you have a bad cold. Currently, a living person has to confirm your identity by looking at the picture of your identity card. We are likely to get stuck on the other two factors for online banking for many years to come, which is sad because a fingerprint reader is much more useful than having to worry about a plastic card or keychain for one-time token generation (which is it modern, secure version of paper list TANs.