I would be happy with a key ring thingy even though I have several already.
So would I.
I never really liked the idea of having one until I opened a bank account that required me to have one and I found out that it wast such a pain.
I came to like it even more when I was overseas recently and had my phone stolen.
As Citibank hasn't made OTP mandatory I was still able to access my account however that wast the same for some of my accounts with other banks.
Luckily though my main bank account uses a physical token so I still had access to my money.
Citibank could at least look at the OTP implementation by PayPal.
If you have your PayPal account to use your mobile phone as a OTP device and do not have your phone with you then you can still log in by answering some security questions such as information about your credit cards or bank accounts registered with paypal or other typical security questions.
However, according to the Citibank website a physical token will also be available.
I would like to see the ability to use your mobile phone or the physical token however I think you will have the choice of SMS only or physical token only.
-----
On another note, I found this article while looking for something completely unrelated however I think it is slightly relevant to the introduction of OTP
Online fraud rate 'almost zero': Citibank Australia
October 14, 2010
CITIBANK Australia's fraud rates for online banking are "almost zero" thanks to its tight security processes, according to chief executive Roy Gori.
Mr Gori said he could not recall the last fraud-related incident to hit the bank's online system.
"Our (online) fraud rates are almost zero," he told reporters in Sydney today.
"I won't say it's zero because you can't ever say that, but I can't remember over the last 12 months an internet fraud at all.
Citibank has in excess of 200,000 registered online users.
There is also this, which I guess never took off as I had never heard about it until I read the article.
The bank has also jumped into voice biometrics, launching a trial six weeks ago in its collection department.
Mr Gori said voice recognition was one way to reduce the coughbersome process of identification Citibank currently has in place.
Citibank chose to test voice biometrics as it has a high accuracy rate. Mr Gori said he tried to disguise and change his voice to beat the system, but to no avail.
The bank would be in a position to roll out the system "in a big way" in three months, but customers first had to opt-in to the voice system.
-----
So in 2010 Citibank had over 200,000 registered online users and had a fraud rate of zero (or very close to it) using the on-screen keyboard and the three security questions.
Which brings me to the question why change? Especially when the new security measure has several drawbacks.
There are many cases I can think of where people have had their accounts fraudulently used due to the security that SMS tokens do not provide.
This article about someone who had their CBA account fraudulently used is from a few years ago however it goes into the details of how SMS security is vulnerable
Phone porting used to unlock net banking codes - Security - Technology - News - iTnews.com.au
And then we come to an article from the end of last year (Some of the interesting points below)
Telcos declare SMS 'unsafe' for bank transactions - Security - Technology - News - iTnews.com.au
Nov 9, 2012
Telcos declare SMS 'unsafe' for bank transactions
The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.
Security experts have warned about the inherent lack of security posed by SMS technology for several years.
As far back as 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor” and its use as one is “probably going to leave [customers] vulnerable to frauds that exploit their credulity or naivety”.
There are 54 million bank accounts active in Australia, according to the Reserve Bank, and 35 million credit accounts.
The cost of replacing SMS authentication with tokens for debit accounts alone would cost the banking sector close to $5 billion*.
*Yes, this is also the telcos shifting the blame from themselves when they could simply tighten the ability to port a phone number which would also strengthen SMS based security.
-----
Now, in 2010 Citibank essentially had no online fraud while other bank customers were having their accounts hijacked using SMS security. The telcos and other experts have said that SMS security is not a viable solution to prevent fraud yet Citibank is moving form a proven secure authentication method to one with already established flaws.