/ Money

Has your bank’s authentication changed?

The final deadline for banks to phase in stronger authentication passed earlier this month. Are the new requirements working for you?

If you have tried to log into your online banking recently, you may have noticed that you can no longer log in using only a username and password or memorable data.

This is because the deadline has recently passed for banks to phase out their older forms of authentication in favour of strong customer authentication (SCA).

Something only you know

The new security regime is designed to identify a customer in at least two of three ways:

💳 Something only you know, such as a password or PIN

💳 Something only you possess, such as a card reader or registered mobile device

💳 Something only you are, such as a digital fingerprint or voice pattern

Low-risk payments, such as direct debits, recurring payments, or low value financial payments are either exempt or require less authentication.

How is it for you?

Many banks are starting to get the right systems in place.

Given the regulator stating it will not enforce the new rules until March 2021, many will only start implementing these between now and the regulator’s deadline.

What is my bank doing to implement SCA?
  • Barclays will soon ask for OTPs and memorable words, or PINsentry (card reader or app) codes every time you login (phased).
  • Clydesdale and Yorkshire Bank will ask for OTPs via SMS, landline and mobile app or Pin Device authentication.
  • Coventry Building Society will introduce SCA via automated phone call this year (phased).
  • First Direct will enforce SCA checks for every online banking login at a later date (phased).
  • HSBC has asked you to use your digital/physical Secure Key plus password every time you log in since 23 August 2019.
  • Lloyds Banking Group (Halifax and Bank of Scotland) will ask you to verify yourself via the app or by entering a OTP supplied via SMS or landline (phased).
  • M&S Bank has already implemented SCA for current account logins, with credit cards to follow soon. Later this year, you will able to order a physical M&S Pass if you don’t use the mobile banking app.
  • Monzo will ask you to re-verify yourself by entering your Pin or biometric ID (fingerprint) every three months. You’ll also be asked for your Pin when you use a new device.
  • NS&I will verify your identity via automated phone call in certain scenarios (phased).
  • Nationwide will stop letting you log in using memorable data in favour of card reader logins or OTPs sent via SMS (phased).
  • RBS/NatWest customers must use their card readers or enter OTPs sent via SMS for all online banking logins.
  • Santander will introduce SCA checks for login in the first quarter of this year, although it will be introducing full entry of a security number soon (phased).
  • The Co-operative Bank introduced OTPs sent via SMS/email earlier last year.
  • TSB told Which? changes to online banking login are likely to be introduced from 14 March 2020 (phased).
  • Yorkshire Building Society has introduced OTPs sent via SMS or automated phone call.

Read more about what banks are doing to implement SCA

We’re keen to hear if implementing the new security arrangements is causing you any issues with your online banking.

Some have reported already that they’re unable to make payments because they do not have a mobile phone, or they do, but their mobile signal is not strong enough to connect to their banking.

There is also the risk of scammers using the implementation to attempt phishing attacks on online banking customers.

How has logging into your online banking been since your bank has implemented strong customer authentication (SCA)?
Loading ... Loading ...

Have you found it difficult to log in with the new security requirements? Do you feel your bank is moving fast enough to implement new security?


I’ve gone back to Branch banking and monthly paper statements.
So much for this digital revolution.
It has become too complex and time consuming.
Customer Service (if you can find it) has become Customer Dis-service.
They wish to avoid Personal Service at all cost.
They forget that ‘my time’ is valuable too.

No issues (problems) have been caused when I have logged in to internet banking nor when I have made a credit card payment on-line. I use a card reader for the banking access and for the credit card payments the card issuer sends a One Time Password [OTP] to my mobile (portable) phone. I have to remember to have my phone to hand when I am placing an order on a website because the OTP times out quite quickly. The implementation of this long-overdue protection seems to have gone quite smoothly. My credit card issuer requires SCA for every on-line transaction. My bank requires no such control for debit card transactions made on-line [so far as I am aware – it could be that my payments have been below a threshold for strong authentication].

I use three banks for day to day money management. No problems at all with First Direct and Lloyd’s whose 2FA processes are fine but then…there’s Cynergy Bank. They have managed to introduce a process and an app that appears to be a (failed) primary school project. It is, possibly, the most inept app I’ve seen – you should read the comments on the Apple App Store as most others think so as well. Time to go elsewhere where the bank has actually done some customer trialling beforehand to check it actually works.

I have become accustomed to Natwest sending a one-time passcode to my mobile when logging in to online banking. That’s not a problem because I have the mobile with me if I am away from home, unlike my card reader.

I’m shocked that many banks and credit card issuers have recently introduced SMS as a form of two-factor authentication. SMS is one of the most dangerous forms of two-factor authentication, because it is susceptible to SIM swap fraud, which was covered in depth by BBC Watchdog.

Furthermore when travelling in some countries, I can’t receive SMS on my UK SIM card, so there needs to be an alternative. Some banks and card issuers can send an e-mail instead, but this breaks the principle of this additional factor being something you have and instead being something you know (i.e. the password to your e-mail account). There should be an outright ban on using SMS as a form of two-factor authentication; it represents extreme laziness by the financial services industry.

Many of the UK banks have introduced mobile phone only authentication to authorize payments made to companies one has not shopped with before. It is acknowledged that many people across the UK do not own mobile phones / do not have coverage / cannot use them due to disability. I’m all for tighter security for online transactions, but if there is no option for alternative security measures (land line / email) I predict a number of discrimination cases in the near future.

Logging in M&S Bank now requires you to have an app or a physical pass gadget that they will supply. As I only have a credit card account, all I need to do is view my statement once a month, so not worth downloading the app or applying for the pass gadget. Why can’t M&S send a one-time passcode to the customer’s mobile phone, a method which many other banks have adopted? The alternative is to go back to having statements sent by post.

Since February 2020, I’ve been in conversation with the Financial Ombudsman regarding Santander’s reduced (IMHO) security feature they apparently introduced as part of the Payment Services Directive (PSD2) regulation. Prior to the change it was necessary when logging on to enter one of 3 randomly selected characters from a password, combined with 3 randomly selected numbers from a passcode.

The new logon procedure requires me to enter all 5 of my passcode numbers only. In addition, if I Chat online or talk to a Santander agent (yes it does still happen occasionally), I have to supply 3 of the 5 passcode numbers. When I do logon, there’s not even the option of an OTP (which as said earlier has been discredited by the Watchdog TV programme.)

My complaint has not been upheld, as the Ombudsman advises Santander haven’t fallen foul of any of the directives contained in PSD2. I don’t think PSD2 was ever meant to strengthen security for logging on.

So, now I’m turning to the Financial Conduct Authority as I think Santander have made these changes to “simplify” logon across all platforms and allow me to look at my account wherever I am and whatever I’m doing – on the bus, in the gym, at the theatre, the possibilities are endless. I feel the combination of using the 5 numeric passcode for both logging on and communicating with Santander via chat or phone is a weak implementation of the changes. I ask why it’s supposedly necessary to be able to view my account at a moment’s notice with the minimum of fuss (i.e. security), but I think that’s a generational thing and I’m at the wrong end of the age gap to see the benefit.