Why Most Major Canadian Banks Don’t Use 2FA

It's now a familiar story: a massive data breach leads to the theft of thousands, or even millions, of passwords. Before long, these stolen credentials are posted for sale on the dark web. Even if they're encrypted, criminals can sometimes still crack the code. Soon, your account is compromised.

In this kind of environment, two-factor authentication (2FA), can help mitigate risk for the user. This security feature is available through many private websites, and it's almost taken for granted for some bank users around the world. With few exceptions, however, most Canadian banks don't use 2FA.

Canadian "big five" banks that have limited or no 2FA in Canada:

  • Scotiabank (available internationally, but not in Canada).
  • Royal Bank of Canada (unusual activity, spending over the limit).
  • Bank of Montreal (investment transactions).
  • CIBC (account management activity).

Canadian "big five" banks that have 2FA as a standard feature:

  • TD.

So far, the Canadian government has chosen not to require banking institutions to offer their customers 2FA for every login. Left to their own devices, Canada's banks seem hesitant to widely roll out 2FA at the moment. For one, implementing and maintaining the feature, among the other security features they already employ, can be costly, and some users might find it to be an inconvenience, particularly those who have limited access to technology and who live in underserved rural areas.

What Exactly Is 2FA?

This increasingly popular, and often standard, security feature requires the user, after entering their login credentials including a password, to verify their identity through a second factor.

Very often, this means the user will receive a short code on their mobile phone via SMS that they then have to enter on the website. Other forms of 2FA can involve emailing a code, using an authenticator app or processing biometric data.

2FA can help mitigate risk for the user, but is it worth the cost and the potential inconvenience?

Is 2FA Vulnerable?

Like other security features, 2FA does have vulnerabilities. Kevin Mitnick of KnowBe4 demonstrated to CNBC how a phishing attack can be used to bypass 2FA. When the user clicks on the malicious link, they're directed to a legitimate website through the attacker's server. The user then logs in, using 2FA, but the hacker has the cookie, and they now have access to the account.

Where Does 2FA Excel?

Despite this vulnerability, the user's account is not weaker because of 2FA. This feature is still an asset. For starters, many email services can intercept phishing attempts before they even reach the user, and 2FA still stops malicious users from accessing others' accounts with just a username and password. Google, in a study with New York University and the University of California, San Diego, found that verifying the user's identity with an SMS code blocked 100% of automated bot attacks, 96% of bulk phishing attacks and 76% of targeted attacks.

On your website, offering 2FA in the form of a mobile code sent to the user via SMS can be a great way to demonstrate the professionalism of your digital experience and to show that you value your users' security.

Swift SMS Gateway has served over 200 million authentication PINs for just one of our clients. We'd love to share our expertise with you today.