I’m a Wells Fargo customer, and they did a pretty bad job of explaining that they were rolling this out to their customers, if you ask me, because I found out from my RSS feeds, not an email, mailer, or notification through their phone app.
But I love it.
ATM cards have been a very early and good example of two-factor authentication (2FA). You know, that thing that websites ask you to do? Like get a text message when you sign in so there is an extra step to protect your account.
2FA is typically two parts:
- Something you know (a password)
- Something you have (a pre-authenticated phone, a thumb print, a physical token)
The password for an ATM is your PIN and the token you have is the ATM card. However, the card isn’t that great of a token. Not only can it be lost or stolen easily, it can be stolen while you still have it. Check out Krebs on Security’s post Why I Always Tug on the ATM.
This week I went through the process of getting money out of a Wells Fargo ATM without using a card. The first time I used the Wells Fargo app for the process, it sent my phone an authentication text message, which I think is a casual way of re-verifying that the device is, in fact, the one that I’ve already authenticated with my username, password, and Touch ID. After that, it generated a 10 digit number that is valid for the strangely long time of 30 minutes (I’d have thought that 30 seconds would have been the right choice). That 10 digit number serves as a one time password (or a OTP as we call it in the biz) which must be paired with the defined and existing PIN on your checking account to function. Once it’s used, that number will not function again.
I hope more banks do this. Even though, I rarely ever use cash. That’s going the way of the dinosaur eventually.