Security experts recommend advisors use not only passwords, but a more stringent form of verification, known as “two-factor authentication,” for logging into every device and into every data collection system they control.
Many advisors who have heard those proposals, however, respond that “two-factor authentication” can be cumbersome to implement and often prompts clients to complain about the delays and hassles those safeguards create.
“The simple fact that a lap top has a password doesn’t mean anything,” Stephen Ryder recently told an audience of financial advisors. Most likely, however, many advisors listening to him had in their possession laptops protected solely by one password.
Ryder, the CEO of Keene, N.H.-based True North Networks, a company that provides IT solutions, recommends that advisors use “two-factor authentication” wherever and whenever possible, even to log into their personal computer. To gain access with “two-factor authentication” users need to produce not only a password but also a second piece of information, which is available only to them, such as a number sent via text to their cell phone.
CLIENTS 'NOT HAPPY'
Despite the recommendations of security experts like Ryder, many financial advisors believe the advantages of ubiquitous “two-factor authentication” should be weighed against the hassle of implementing such a practice.
They also report clients have pushed back against it.
“Many clients are not happy about this,” says Cheryl Holland, the owner of Columbia, S.C.-based Abacus Planning Group. Holland is talking about the firm’s practice of requiring clients to use “two-factor authentication” when they open emails the firm has sent them that include personal financial information. “We are trying to educate them about the risk and why we do this. We often have to explain that we don’t send everything that way,” Holland says.
In response to clients’ complaints, her firm has begun allowing them on an email-by-email basis to request to receive another email including the same information, but the second time, the firm sends the message but doesn’t put it behind a wall that requires two-factor authentication. Clients seeking such a waiver must call each and every time for the second email, Holland says.
Holland admits that her own personal computer at home doesn’t require a two-factor authentication to log in, as Ryder proposed. “I think they are going to have to come up with something more user friendly before I do that,” she says. “I am willing to take the risk for me personally that I won’t take for my clients,” she says.
Miriam Rozen, a Financial Planning contributing writer, is a staff reporter at Texas Lawyer in Dallas.