Not only do they use password authentication, but they use a supposedly secure password policy that effectively renders the password completely insecure.
What do I mean? I mean that in my case, my bank requires that I change
Thus spake "JC Dill" <nanog@vo.cnchost.com> the > password to my online account management website every 90 days. That's not even the dumbest part. You can reset your password at most banks, insurance companies, stores, airlines, etc. by claiming you forgot it; they'll happily reset it to your mother's maiden name, SSN, or some other publicly-available datum. I've even run across one telephone company which will accept my SSN in lieu of my password _without_ resetting the latter, so the hack is completely undetectable by the victim.
It would be far more secure *in the real world* for the bank to only require that the password be changed once a year ...
It seems a better general solution would be to require the password be changed every N uses.
Oh, BTW, this secure policy also has a password limitation of 8 characters, and it only requires 1 non-alpha character. So I can use a supposedly "secure" password - like bananas1 (and then change it to bananas2 90 days later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one isn't the most secure in the world, but you get the point), because it's too long, even though it's obviously much harder to crack. But that isn't deemed a "fault" in the bank's secure password policy.
There's a staggering number of web sites that won't allow me to use non-alphanumeric characters in my passwords at all. I've even run into a few which also don't allow and/or preserve upper-case letters. Those who fail to learn the lessons of history... S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking