I can just imagine my mother getting flustered after reading the words "certificate signing (sic?) Request" and stop reading at "client certificate". I can think of very elaborate security measures. The trick is to make them sound easy and relatable to a ranch hand and 1960s housewife. These people smart but they don't have the same life experiences
It may sound difficult at first, but with plenty of help (step-by-step tutorials, etc.) provided by the bank, then it shouldn't be too hard to implement. It could be started as a trial for a certain subset of customers and then rolled out to larger and larger groups as time goes on.
Banks could provide an incentive by stating that using this is much more secure than just using a password, and that it's also largely automatic (unlike 2FA).
In school, did you ever do the "give instructions to make a peanut butter and jelly sandwich" activity? I'm guessing not.
I'm willing to bet you could have a video with transcript and pictures of the user's exact home set up and many people still couldn't figure it out. You are dealing with people who still don't understand why you don't have to double click links since they have to double click apps and don't know the difference between Google, the Internet, and Internet Explorer.
People are often stuck with modes of thought and operation from when they were younger, and for many, that was pre-computer. At work, we got a hand written letter asking for support setting up their account because they were having trouble with their email that their daughter set up (despite ample support options on the site).
> I'm willing to bet you could have a video with transcript and pictures of the user's exact home set up and many people still couldn't figure it out.
I think you're giving most people less credit than they deserve in terms of figuring things out. Yes, there are people who are technically illiterate, but they probably still conduct most of their business in a manner similar to the pre-commercial internet days. That is, they either use the bank teller drive-through lanes, ATM, or go inside the bank to do banking business. They may not even try logging into their online account.
But that doesn't mean that the bank shouldn't provide options for the more technically literate users who either already understand the concepts or can pick it up with some step-by-step instructions.
I certainly don't like banks providing half-baked security solutions like easily guessable "security" questions or passwords that can only be up to some relatively short length and highly restricted character-set which can be brute-forced or easily obtained from a plain-text dump of their compromised database.
I don't think most users would have a terrible time. I think most users would not bother with setting up anything fancy, but could if they had ok instructions. But I think there are many who would absolutely flounder. As a technical person, I would like more security for sure.
"Security" questions should be gone. Everything important should be 2FA or have a key fob. I think just about everyone who has a phone and does online banking can understand "input the code we just texted you."
The key fob (or equivalent application on one's phone) is a better option compared to email/SMS based 2FA since the latter is not secure [1] [2]). The latter is still a lot like the half-baked security measures I mentioned in my earlier post.
I still think having certificate/private key imported into my browser as a one-time (or periodic) task more convenient compared to having to use a key fob or soft token from a phone app everytime I have to log in.
