For the past several months, we have been warning our customers in offline conversations that the “multi-factor” authentication methods employed by most banks these days is not true two-factor authentication. Its really nothing more than a glorified single factor. Its been our experience that examiners are not currently drilling into this, but with news like this its only a matter of time. My advice to any CIO, especially as the end of their first year’s contract with multi-factor vendors draws near, is to begin looking for alternate methods. Not only will examiners eventually require, its the right thing to do.

Even so, as we seem to preach all too often. True two-factor authentication is still no substitute for a well-developed (and ongoing) customer education program regarding the threats to online security.