Secure Online Authentication: Why US Financial Institutions Must Do Better
In todayâs digital world, secure online authentication builds trust with consumers. When websites and services adopt modern security standards, people feel safe even when headlines report data breaches leaking passwords or personal details. However, many US financial institutions are falling behind, putting their customers at risk.
The Problem with Outdated Security
US financial institutions, once trusted community pillars, are losing credibility. Many are unwilling or unable to upgrade their authentication methods. Instead, they push consumers toward online solutions with weak security. Banks often rely on simple passwords and one-time passcodes sent via SMS, a system vulnerable to phishing scams and SIM swaps (where attackers hijack a mobile phone number). Some even use outdated security questions, like âWhatâs your motherâs maiden name?â Those details are often exposed in past breaches, making them useless for protection.
The High Cost of Inaction
This failure has a real price. While banks rarely share exact figures, estimates suggest that outdated authentication costs the US between $2 billion and $10 billion each year. For consumers, the losses are devastating: drained bank accounts, fraudulent loans, and ruined credit. Many never recover from these setbacks. These arenât just statistics; theyâre stories of real people harmed by preventable failures.
Why the Delay
Banks cite various excuses: old systems, confusing regulations, or the expense of upgrades. Yet, weâve seen large-scale change before. Credit card companies once pressed retailers to adopt chip technology to reduce fraud. If it worked then, it can work now. Whatâs missing is pressure from us, the consumers.
Solutions We Should Demand
As users of these services, we can push for better security. Financial institutions should adopt these modern methods:
- Passkeys: A modern, passwordless, phishing-resistant option.
- Support long, complex passwords: Tougher for attackers to guess or brute force.
- TOTP 2FA: Time-based one-time codes from authenticator apps like Enteio Auth, not SMS.
- Support alias email addresses: Unique to each service, reducing phishing risks.
- Support VoIP numbers: Separate from known mobile phone numbers, adding extra safety.
These steps would make phishing and SIM swaps far less effective, protecting our financial security.
Take Action Now
We canât wait for banks to act on their own. Contact your financial institution and ask when theyâll support passkeys or TOTP 2FA. Advocate for laws that require stronger security. Together, we can demand the protection we deserve.
Learn more about Passkeys at the FIDO Alliance at https://fidoalliance.org/passkeys
