/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Most UK banks failing to protect online customers with two-factor authentication

UK consumers' association Which? has hit out at much of the banking industry for failing to protect online customers with two-factor authentication (2FA).

  20 8 comments

Most UK banks failing to protect online customers with two-factor authentication

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Which? says that seven out of Britain's top 12 online banking providers do not offer 2FA. despite having the technology to do so.

The guilty parties are named as the Co-operative Bank, Clydesdale and Yorkshire Bank, Lloyds Bank (and sisters Bank of Scotland and Halifax), Metro Bank, NatWest and RBS, Santander and TSB.

Which? argues that this is dangerous in an era where crooks can glean valuable information about people from social media, rendering passwords less safe.

Things could be about to change, with more payment providers likely to adopt 2FA ahead of new ‘strong customer authentication’ regulations, due to be introduced from September.

Stuart Rye, director of business development, financial services, Fujitsu UK, says banks are under increasing scrutiny from both customers and the government.

"While we don’t expect biometric adoption to happen overnight, many organisations looking to digitally transform will find themselves reevaluating their current systems and investing in more efficient and effective measures," says Rye.

Overall, Which? ranks first direct as the top bank website, based on an evaluation of five factors: login, encryption, account management, and navigation and logout.

First direct scores 76%, ahead of its owner HSBC on 73% and Barclays on 68%. At the bottom of the table are Metro on 52%, Natwest on 53% and Santander on 54%.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (8)

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

What will happen to third-party PFM apps like Money Dashboard if the culprit banks implement 2FA via, say, Mobile OTP? Will the PFM app still work? If it stops working, will consumer advocates praise the said banks for improving security for implementing 2FA? Or will they diss them for being anti-competitive by blocking access to the PFM, the way AmEx is getting panned for blocking access to Curve?

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

2FA using Mobile OTP is common implementation where as here emphasis in this post seems to be inlcined towards Biometric authentication (Fujitsu UK which is leader in palm vein biometric authentication :))

Ofcourse, Face and Voice based authentication can be explored as second factor rather than good old OTP.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Even if Face or Voice is used as the second factor for 2FA, PFM access would get disabled. My comment remains. 

A Finextra member 

Biometrics is certainly an option, but there are also cryptographic solutions with higher levels of assurance available. One thing always worth noting on this topic is that OTPs are not 2FA (they're 2SV) and should be avoided, as they're effectively the next worst thing after just a password. 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Mobile OTP is listed as a 2FA technique by Google Snippet, Wiki and at least one more top search result. Besides, it's used widely by many leading websites as a way of providing 2FA.

So, while I'm no fan of Mobile OTP and I might even consider it to be worse than password, I respectfully disagree with the notion that Mobile OTP is not 2FA. Of course, it is.

In any case, this has nothing to do with Mobile OTP but any type of 2FA technique.

My basic question bears repeating: If a PFM stops working because a few banks have implemented 2FA, will consumer advocates praise the said banks for improving security by implementing 2FA OR will they diss the said banks for being anti-competitive by blocking access to the PFM?

A Finextra member 

2FA refers to two identity factors being used, while OTPs use only factor, twice. Happy to debate it, but of course, what it's called isn't the point, though it is in the interest of service providers to refer to OTPs as 2FA, because it sounds better.

With regards to PFM - what is more imporant? Protecting your money, or managing it? If the concern that necessary security will drive customers away, then it's worth considering customers having their data and money stolen are likely to leave much faster. 

 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Uh oh, I think I understand the source of confusion. I mentioned in an earlier comment about Face or Voice being used as the second factor for 2FA. I meant Mobile OTP in the same vein. Implicit is that Password is used as the first factor. Without that, even Biometrics will only be one factor and won't qualify to be 2FA.

A Finextra member 

Yes, you're right, Ketharaman, my misunderstanding. 

 

[Webinar] Unifying Card Programmes: The cost-reduction imperativeFinextra Promoted[Webinar] Unifying Card Programmes: The cost-reduction imperative