For months, E-Trade had been pestering me to take advantage of their new multifactor security system for accessing my accounts on their site. And I’d resisted. Honestly, my financial sites are about the only ones where I make an effort to create passwords that would be difficult to crack. But they still make me nervous.
That’s why I’d avoided using Yodlee-powered account aggregation tools to track my accounts at multiple sites. (I’d get set up and then have night-sweats imagining all my accounts being drained simultaneously by some Yodlee-defeating hacker. The next day, I’d kill the Yodlee account in a panic. Yes, this has happened more than once.)
It’s also why I like that my credit-card issuer now takes the “Is This Your Image?” approach to security. It’s not perfect, but I feel better.
I used to use the Greasemonkey-based Password Composer to create unique passwords for my banking sites, but a few security flaws in the system caused me to drop that fun little tool.
But then came the dongle option. I had to admit, it looked cool. But years ago, my wife had to use one of these same kinds of “time synchronized security key” gadgets (though hers was the size of a pager–mine fits nicely on my keychain). I remember it as being clumsily integrated, unreliable, and simply a pain to deal with on a regular basis. So I wasn’t sure I wanted to tie my banking to such a device.
Hang around Scott Berinato enough, however, (he’s a senior editor at our sister site, CSOonline.com), and you’ll begin to get seriously paranoid about online banking. So I took the plunge and ordered the security dongles. They sat on a shelf for a couple weeks before I finally activated them. But after I did, I felt…relieved. The integration with the standard login is easy enough. You just enter your username and then tack the current six-digit number from the dongle onto your existing password. It’s simple, and it hasn’t failed since.
It does mean that I can’t use those account aggregators anymore, but they scared me anyway. And there’s something kind of calming about having the security ID on my keychain. In fact, it makes me wish that I could sync the same token to other accounts. (Having one of these on my keychain is fine–but if I needed a dozen, I’d need bigger pockets.)
I keep waiting for the key to cause me a “bad experience,” but so far, I’ve been pleasantly surprised. What do you know; a technology that actually seems to work as advertised!
(For more on E-Trade, take a look at Susannah Patton’s recent story on what makes the online bank tick.)