To date, authentication measures based on the second authentication factor—i.e., what a user has—appear to be relatively uncommon in the fund industry (although some brokerage firms do offer two-factor authentication). Such measures include the use of hardware tokens (such as the widely-used RSA SecurID token) or software tokens (in the form of text messages or mobile apps, such as the Google Authenticator app), which take advantage of the widespread adoption of smartphones. In considering the use of hardware or software tokens, fund groups may wish to consider, among other things, implementation costs and/or the anticipated degree of shareholder acceptance. For hardware tokens, for example, the cost of purchasing the tokens and providing them to shareholders may be significant.
Software tokens may address the cost issue associated with hardware tokens, but may be less secure because they potentially represent a single point of failure.1 For example, a fraudster who uses a stolen mobile device to effect a transaction would not be thwarted if the same mobile device receives a text message with the additional authenticating information.2 By comparison, where hardware tokens are used instead of software tokens, the fraudster would need both the stolen phone and the hardware token to effect a fraudulent transaction.
Back