Easy migration to a 3 Factor Auth System

Migration from a two factor to a three factor authentication electronic bank system.

Nowdays, almost all of the e-banking systems in Spain have already switched to a two factor authentication system based on:

  1. PIN
  2. a Token Card (Tarjeta coordenadas, a card with a matrix of numbers printed which the system ask to enter randomly)

For almost every human is quite hard to remember an unrelated sequence of random numbers, that’s why most of the users still write down their PIN and keep them together the cards or choose easy numbers like birthdays. If the cards are stolen the thief could bypass easily the second method since it just ask to enter the numbers at random positions being completely useless from a security point of view.

I propose an easy way to extend this system to a 3 Authentication method just asking for an extra number from the token card when logging in the system.

The client should be provided of a method easy enough to remember without writing it down but hard to guess. This method should be chosen randomly from a list trying to distribute them homogeneusly among all the clients.

This method could be sent to the user via the channel used to send the PIN.

The methods I propose should allow to select a cell from the card increasing the security of the system, such methods could be similiar to the detailed below:

  • Introduce the first asked cell
  • Introduce the cell corresponding the current month
  • idem but current day
  • select the cell using the 3rd number of your credit card number.
  • etc

These are just some examples which are easy to remember and hard to guess for any guess since there a large amount of methods of given the system the extra number.

If you notice this method shows any weakness please email me.