In online commerce, similarly, multi-factor authentication (MFA) is being used for strong authentication to achieve the same degree of authentication. The authentication factors used, include:
- What you have (the payment card) [weak as a factor unless a card reader is also involved]
- What you have (the cellphone / hardware token registered with your card)
- What you know (the PIN)
- Biometrics (who you are): This is being used by some, with the potential for increased usage)
- One-time password / Signature (yet another knowledge factor [what you know])
Unconnected Chip-n-PIN readers are being endorsed by payments associations and being deployed by European banks to generate OTP (one-time passwords) for secure access to online banking sites. The simplicity of unconnected card reader devices make them secure. They are not connected, therefore are less prone to being attacked by malware. However an additional device to carry around when you travel (or otherwise) is not terribly convenient. There is still the issue of Adversary/Man-in-the-Middle (MITM) attack.
Using SMS as an alternate delivery channel is another alternative (saves cost of deploying readers and hassle of carrying readers around). Cell phones are used to communicate the OTP or Transaction Number (TAN), which the user enters at the online site. For those that don't care for cell phone and/or SMS/text messages, an IVR (interactive voice response) variant of the above is also used.
Hardware token, either the unconnected kind or the USB kind, are also used, but not in the same class of security solution as what you know (PIN) is not involved.
The emerging consensus, including observing the above alternatives, is that a hardware based solution over an alternate channel be used to generate/communicate the additional authentication factor (what you know). See related post here and here.
There are varied opinions about the usability and security profile of these offerings, including:
- Does a Chip-n-PIN reader put a user at physical risk?
- Is SMS safe enough (SMS is a non-confidential plain-text channel)?
- Are smart phones safe enough?
- Should one of the authentication factors be sent over an alternate channel. E.g., user sends the OTP or TAN over SMS to thwart MITM attacks
[10Aug09]: Interesting related post from Finextra (link)