One-time passcodes or passwords (OTPs), like a code sent via SMS to a user’s mobile phone, are commonly used for two-factor authentication (2FA). While any form of multi-factor authentication (MFA) offers better security than just a password and username, there are security and usability considerations to take into account when implementing an authentication protocol.
Whether your organization has already deployed mobile authentication or is actively considering authentication solutions to beef up security, it’s important to understand that MFA is a spectrum and that not all MFA is created equally. With cyber-attacks continuing to rise, the time is now for organizations to rethink their two-factor practices.
Research tells us that OTPs sent by SMS and mobile authentication apps are the most popular forms of 2FA being introduced in this ‘work from anywhere era.’ Yet, they can fall prey to phishing, man-in-the-middle (MiTM) attacks, SIM swapping and account takeovers.
Security
The vulnerability of mobile-based MFA stems from several weaknesses. The first is that an OTP can be intercepted or indeed phished. In the same way that a user can be tricked into revealing security credentials such as a password or PIN, they can fall victim to OTP phishing. The second is that mobile devices are in themselves a potential attack surface. They house an operating system and apps that can become compromised, rendering the data, including OTPs, vulnerable.
During a MiTM attack, the cyber-criminal places themselves between the user and service provider, creating an environment where both believe they are communicating with the other. An attack can start with a phishing message or take advantage of unprotected Wi-Fi networks; manipulated URLs that look like legitimate sites are another way in.
Clearly, SIM swapping, which occurs when the cyber attacker poses as the account holder to switch the user’s mobile phone number to their own SIM, also enables OTPs to fall into the wrong hands. SIM-swap fraud is a growing problem, so much so that Action Fraud recently revealed a staggering 400% rise in reports.
Ease of Use
Often, mobile-based authentication is implemented because it is easy for users. After all, with over 8 billion connected SIMs in the world, it’s a sure thing that users will have access to a device. However, it is a misconception that mobile authentication equals simplicity.
While keying in an OTP may seem relatively hassle-free, multiply that by the number of log-ins and apps used each day, and the number of days worked, and friction soon stacks up. It’s a relatively cumbersome additional step that users will quickly tire of. Mis keying means typing in again, or generating another code and timed log-outs add to the barriers to user productivity.
Then, of course, there is the issue with having a mobile that is charged, within signal range and available to be used. Often, mobiles can be low on battery, and they may not have a signal. Also, there are environments where mobile phones are not permitted, such as call centers, clean rooms and manufacturing floors, rendering any authentication method that relies on them inoperable.
There can be issues too around employees using personal devices for work, in which case companies may face the high cost of providing corporate devices or finding an alternative authentication method for some or all users.
Strong Authentication for a Passwordless Future
Authentication needs to be tough because the rigors it must withstand are tough. What’s more, future compliance standards for MFA are only likely to get tougher.
Hardware-based security keys provide strong authentication while at the same time reducing friction at login, compared with other multi-stage authentication protocols. To login, users simply plug the key into a USB port and touch the button or tap it against their phone for NFC authentication. There’s no reliance on a charged phone within cellular range, and no one can sign in to protected accounts without the key, thereby increasing security against phishing and account takeovers.
What’s more, security keys that meet FIDO2 and WebAuthn standards help pave the way for interoperability. FIDO2 is a specification for authentication standards from the FIDO Alliance, while WebAuthn is a web-based API that allows websites to add FIDO-based authentication. The FIDO2 cryptographic login credentials security model eliminates phishing risks and password theft. This evolving ecosystem is helping deliver security and usability while also meeting the need for portability, compatibility, interoperability and scale. In this way, strong authentication helps smooth the migration towards passwordless, a migration that makes secure, user-friendly tools the future for authentication.