Cards, money, two ... factors

- Maybe you still give the key to the apartment, where the money is?
Ilya Ilf, Evgeny Petrov. The Twelve Chairs (1927)

I really do not want my money to fall into the wrong hands without my knowledge.
You can probably pile up gardens with chests, hares, ducks, eggs and needles, but time must be spent rationally.

Of course, at first I will introduce myself, and after entering a login + password or using a client certificate, I will know that I am myself. But I insist that right before the transfer of money I was asked something else more or less secret.
This something can be called anything (PIN, secret code, payment password), but the essence is the same: to create an additional barrier.
On the one hand, everything should be simple, on the other hand, it is safe enough.

Fixed code

A certain sequence of characters that the client and the system know.

Pros: It's simple. Invented, remembered when asked - wrote.
Cons: Another password. If “someone” knows how to get the first password, he will receive the second one. Saves only from accidental leakage of the first password.
Audience: Lazy, because you can write such a code in the form auto-filler along with the login and password to enter and not waste your time on any security.
')

Code table with sequence numbers

Variety of one-time passwords (OTP). Codes can be used alternately or separately.

Pros: Without access to the full list, it is difficult to guess the code. There are programs for storing passwords that can work with lists.
It can be used in session mode to perform multiple transfers in a row: it is valid until the client is identified by the system within the same session.
Cons: It is necessary to keep the list carefully, especially if it was issued on a piece of plastic or on a fading check tape.
Audience: Customers who have been imposed on this service by banks, because there are no other options.

SMS code

The one-time code is sent to the phone number provided in advance in the form of SMS.

Pros: A very familiar and common option. Nobody needs to explain anything.
It can be used in session mode to perform multiple transfers in a row: it is valid until the client is identified by the system within the same session.
Cons: The phone should be with you, in good condition, able to receive SMS, especially when roaming. It is important to remember that the phone number is given more than once for a lifetime, and could have belonged to someone earlier and could be given to someone in the future.
Sometimes messages just don't come for no apparent reason. And it just becomes a very difficult problem to solve, which greatly annoys customers.
Audience: Most customers of most banks and systems, because it is mainstream.

TOTP (RFC6238)

An open algorithm for generating one-time passwords based on the secret and the exact time. Many are known as Google Authenticator.

Pros: Popularized as the second stage of two-factor identification. Just to use: I took a photo of QRCode, saw the numbers, asked for it, wrote it. Internet on the device for code generation is not needed, the operator is not needed. On different devices, you can generate the same code, knowing the secret. The algorithm is open and described, so the implementation is for almost everything (Nokia S40, Android, iOS, PC, Mac, KeePass, Javascript, etc.).
Cons: The clock on the device must be very accurate. It is important to pay special attention to the safe storage of the secret that may be needed to re-initialize the generator.
Audience: Those who were “forced” and geeks are, of course, because lazy people are too lazy, but most will not want to understand.

Hardware OTP

Special devices that generate a one-time code. Can be embedded in a plastic card with an LCD display and buttons, can be made in the form of a key fob with a corporate design of the bank, etc.

Pros: Pretty easy to use. Internet on the device for code generation is not needed.
Disadvantages: Usually there is one copy, that is, each device is unique, because there is some secret recorded on it at the factory. Although the batteries in such devices last for a very long time, it is important that the charge does not run out at the most inopportune moment. Some banks like to sell such devices, albeit for little money.
Audience: Customers of some banks, because they need to provide additional security or have received the device as an additional option or bonus.

Push notification

The one-time code is sent by the service to the smartphone / tablet as a special notification.

Pros: It can be very similar to SMS code. For the sender, push notification is cheaper than sending an SMS.
Cons: You need the Internet and you need an application that, at a minimum, will register a client for receiving Push-notifications.
Audience: Some customers of some banks, because they installed a high-quality mobile app.

USB token

A device that provides secure use of the private key and secure data encryption.

Pros: Everything should be very safe. Data encryption is transparent to the user. It does not require the client to switch attention from the main process.
Cons: There is a single copy. As a rule, requires special software on the client device. Requires substantial refinement of the service to use such keys.
Audience: I do not know if anyone uses USB Token's as an additional factor to confirm payments. Perhaps with the spread of UEC something will change.

findings

Technically, we are able to work with a fixed code, tabular one-time and session code, SMS one-time and session code, TOTP. At different times, as we have new implementations of payment passwords, we turned on and off the possibility of their choice. Now you can switch between fixed, tabular, SMS and TOTP codes in your account management. But our statistics show that the overwhelming majority of users have chosen what we offer them by default. And only some, apparently, just geeks, what they really need and is convenient for security.

As a result, during the registration we left only two ways: fixed code and TOTP.
I think that TOTP provides security at a sufficient level, while it is not very difficult either to use for clients or to implement in automated systems (it can be implemented even entirely at the database level).

Is there any public demand for other options: Hardware OTP, Push Notifications and USB Tokens?

_{(images from www.uecard.ru and www.vasco.com are used )}