Initially, banks said we needed two-factor authentication to secure our online banking transactions.
It began with a one-time password (OTP) sent to our mobile phones, subsequently reinforced with physical tokens, as presumably, mobile phone OTPs could be intercepted or phones hacked.
Fast forward to today, and DBS Bank has joined other big banks in dropping the physical token from online banking.
So to recap:
Before: Online banking on personal computers had to be authenticated by user identification (user ID) and password, and OTP on a phone or physical token.
Now: Online banking on mobile phones is done with password or phone bio verification only. User ID is saved in the banking app for convenience. And the phone is the de facto digital token.
Am I missing something when I conclude that online banking security is now contingent on not having one's phone hacked and not losing the phone?
Teo Hoon Seng