[DBNO]

Edit: I had an idea for an improved sms 2fa, but comments gave persuasive reasons why google authenticator was better. Thanks for the comments!

Idea basically is a 3FA system where bank sends you a one-time 6-digit number. You then have to translate that number using a user-seeded cryptographic hash function. This secret function is your third factor which translates the received SMS code into the value you'll input at login.

Analysis: Security would increase; but ease-of-use would decrease, especially in regards to how a user would reset their password if they lose both their password and their program that calculates the cryptographic hash.

[cwt137]

2FA is already a hassle for users. Now you want to make them do math too? This is not a solution. Just don't use SMS at all. Google Authenticator is a better solution than yours.

[DBNO]

You make a good point about ease-of-use. I agree a phone app is much easier to use with a smartphone. However, people with flip phones couldn't install such an app. You might then argue the demographic with flip phones would either use an RSA device or not have 2FA enabled at all - which seems like a valid point.

Security-wise, having a secret user math function seems more secure than the Google app. I can give reasons why if needed.

[BoppreH]

Seems vulnerable to phishing. The attacker already uses phishing to get account number, password and phone number; now they just have to send a fake 2Factor message and observe how the number is translated.

Even if the function is lossy, it has very little entropy. Maybe even vulnerable to brute forcing...

I agree with the other poster, Google Authenticator looks like a better solution.

[DBNO]

Good points. After further consideration and from the other comment, I was basically thinking of a 3FA system.

[agf]

Two things.

One, you'd need to use an app and something actually secure to combine the password (that's what you're proposing, a second password that mutates the token) and the 2FA token -- if the password was a simple algorithm like you're suggesting, attackers could guess it a good proportion of the time. This is a good example of why you (or I) shouldn't try and invent security measures; leave it to professionals.

Second, the regular passwords had already been compromised on these accounts. Presumably, at the time they phished the regular password, they could have phished the special 2FA password as well. It also means that 2FA could no longer be used as a password reset mechanism -- because you need to have another password to use it. You've essentially made if 3FA.

[DBNO]

Good points - I retract my previous idea. Thanks for the comments.