Challenge-response technology is seen as an alternative to having call centre agents ask for personal details such as mother's maiden name to verify the identity of callers.
It helps verify identity, typically, by asking the caller to repeat a randomly generated sequence of numbers from the token in order to complete a transaction or gain access to their account.
Speaking at the Vasco Banking Summit yesterday, BOQ's channel development manager for retail banking, Rick Mason, said the bank initially programmed three applications into the Vasco hardware tokens to make them more future-proof.
It has already launched two of the three applications.
The bank's internet banking tokens are currently capable of generating either a one-time password or performing transaction signing.
Transaction signing uses data supplied by the user to generate a pass code which then allows the transaction to proceed.
"We put challenge-response in there to future-proof our tokens because we may use them in the future to authenticate into our call centres," Mason said.
"The token already uses challenge-response functionality for unblocking PINs but we may extend it in the future for either way authentication."
"It's relatively easy to bypass the security of a call centre," said Mason.
"People put the same type of personal details on their Facebook profiles that we ask for in our call centres to identify them. Maybe in the future we'll use challenge-response [to resolve this]."
Mason said the BOQ originally specified the tokens to handle all three potential authentication applications.
"We only wanted to do this [rollout of tokens] once," Mason said. "The customer education process can be painful."
BOQ said it has issued 31,500 tokens to date "against 161,000 active internet banking users."
The tokens are predominately Vasco DB260 products that have been branded as BOQ.
Mason said BOQ customers are able to select their own daily transaction limits when they sign up for internet banking.
Token use is required only for customers that select a daily limit of $10,000 or more.
"The thing is that nine out of ten people think, ‘I'm so important I want the top limit', but you have to educate customers on what that means," Mason said.
"We initially wasted some tokens because people took them and then didn't use them or decided they didn't need that limit anymore."
He continued: "If you select a daily limit of $10,000 then you're forced to use a token for each and every transaction, even if it's for 50 cents.
"We do get some complaints with transaction signing [in particular] but if you don't like it drop your limit below $10,000.
"Yes it's a bit arrogant but it's a trade-off between having high value limits and high security."