Multi-Factor Authentication (MFA) is a key requirement in ensuring a safe and secure transaction in the digital world. It’s defined as an electronic authentication method in which an event is verified only after successfully presenting two or more factors of authentication mechanism evidence. The factors are as follows:
- Knowledge: Something that a user knows, e.g., PINs or passwords
- Possession: Something that a user has, e.g., a device or token (could be hardware or software)
- Inherence: Something that a user is, e.g., biometrics or behavioral characteristics
Most industry-wide strong authentication guidelines such as the National Institute of Standards and Technology’s (NIST) guidelines in the US or PSD2 SCA (strong customer authentication) rules in the EU follow the above guidelines or even mandate at least two of the above three factors be satisfied prior to the approval of high-risk events.
SMS OTP and Its Shortcomings
Currently, the use of MFA in online banking, payments, and other high-risk events relies heavily on SMS or voice one-time passcodes (OTPs). The usage of SMS as a delivery channel has multiple benefits: device- and network-agnostic, customer usage ease, organization administration ease, and database addition of telephone numbers.
Despite these benefits, OTPs have their drawbacks. They are vulnerable to man-in-the-middle attacks and can be compromised by SIM-swap fraud. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover.
This issue is not just confined to the US; it is a global one.
With a rise in SIM-swap and man-in-the-middle attacks, strengthening OTP is critical for companies that want to continue using it as a multi-factor authentication method. Factors such as length of the OTP, expiration period, delivery channel, and dynamic linking are important attributes to ensure safe usage of these one-time tokens.
Here are some methods that can help fortify MFA:
- Passwordless Authentication: Connect with mobile networks to verify that an activity is coming from an expected device. This helps to authenticate customers without the need for easily compromised passwords or PINs. Since this method is built on core network infrastructure, it is a secure and frictionless method to strengthen a customer’s authentication flow.
- Secure Links: Replace the traditional SMS OTP with a secure SMS link message. Secure links use a combination of active (SMS delivery with user action required) and passive (checking against phone intelligence signals) to authenticate identities in real time.
- Biometrics: Traditional biometrics limit fraudulent transactions through a user’s physical attributes such as voice, fingerprint, and facial features. Behavioral biometrics limit fraudulent transactions by analyzing the unique customer-device interaction patterns such as location and screen angle.
- Trust Indicator: A Trust Score™ uses behavioral and phone intelligence signals to measure a phone number’s fraud risk and identity confidence in real time. Scaled from 0 to 1,000 (scores below 300 classified as low-trust, high-risk), the Trust Score™ model can be implemented to secure use cases across account enrollment, login, high-risk events, and customer communications.
Apart from significantly reducing identity theft, advanced solutions in identity proofing and authentication deliver revenue and operational upsides such as better consumer experience, enhanced exception management, and lower cost of fraud management.
The COVID-19 pandemic has accelerated the pace of digital transformation across industries. However, it has also opened the door for bad actors to take advantage of weak security implementations. Companies need to look beyond traditional methods and adopt solutions that fortify existing authentication practices to fend off improvised identity takeover fraud.