Rick Strahl had a post with this title. I thought I'd share my story too. Somehow, we as consumers need to speak out to the banking industry and get them to change how this Multi Factor Authentication is being implemented.
On Christmas Eve, Fifth-Third bank turned on their new security feature that prompted me with "twenty questions." Here's what I sent to them after muddling through the questions and deciding what to put in.
The new security feature is terrible. The arbitrary questions provided are extremely irritating. No one will ever be able to answer the questions with the answers I provided, this is true. However, I will also be in that group. Things like "favorite cookie" change from time to time, and questions about my first boss--you expect me to consistently remember something like that? I was forced to write down my questions and answers even though you expressly said not to.
I recently read an article that told a similar story: http://www.ericsink.com/entries/Absurd_Customer_Service.html
It sure seems to me that you'd be better off asking the customer to provide their own questions rather than selecting from the absurd list that you are providing. Anything but what you've done though--this just ticked me off.
Here was Fifth-Third's response to me:
Dear Jeff Handley,
Thank you for choosing Fifth Third Bank. We apologize for this situation and are committed to meeting your expectations. The new Multi Factor Authentication is an added security feature that allows you to create a strong password. In addition the questions you answer are an added security feature that will be used if you logon from a different computer or you forget your password. In an event you are unable to answer the questions, our Internet Banking group will contact you to verify your information and reset your profile.
Thank you again for informing us of your concerns and the opportunity to respond to this issue.
On the flip side, I recently had to create a new password a different bank. I was blown away that their passwords MUST be 6-8 characters, with 7 letters and 1 number, and no punctuation or special characters were allowed. I could probably crack about a million passwords by hand with that limitation.
I've never had to implement security to this level, but it seems like there should be a user-friendly yet secure approach.