It wasn’t long ago that two-factor authentication met the security needs of most organizations. In the good old days of laptops and desktops, the use of two separate factors was enough to ensure a satisfactory level of security. In the current era of mobile devices, advanced hacking and advent of the digital identity, two-factor authentication can no longer suffice. Multifactor authentication models were designed to mitigate the shortcomings of 2FA, but does it really deliver increased security?
The New World of Digital Identities
With the transition from desktop to mobile devices and other digital gadgets, it is simply not enough to confirm only initial identification, particularly when conducting sensitive banking transactions. To quote Gary McAlum, chief security officer at USAA: “Today, the primary challenge is that your identity information is either already compromised, accessible in the underground economy, or bits and pieces can too easily be knitted together" - meaning that committing fraud is becoming ever easier for cyber attackers at any stage of the user process.
Usernames and passwords are too flimsy to provide real protection. Using bots and other malware, hackers can stealthily take over mobile apps, ultimately gaining control of the entire device including vital personal data from the wide range of apps. In addition, hackers are currently creating synthetic IDs using a combination of real and fake data together. Thus, a real identity serves as a basis (for example a name and Social Security number that match) but the fraudster changes some data, such as switching the email so that out-of-band validations are diverted to them rather than the true identity owner.
The Move to Multifactor Authentication
Logically, the move to multi-factor authentication has got to be more secure than 2FA, right? Well, not necessarily. Let’s take a look at some of the multi-factor authentication methods in use on mobile devices:
- The coded key fob - The key fob displays a randomly generated access code, which changes every 30 to 60 seconds. A user first authenticates himself on the key fob with a PIN, followed by the current code displayed on the device. This method, which is based on hardware, is hardly viable in the digital age. Not only can the device itself be stolen or lost, the key fob shares the same vulnerabilities that plague most IoT devices: the default settings on the device are rarely updated once the device leaves the factory floor, and security patches for new exploits are rarely available.
- SMS - Sending security codes via mobile is only as safe as the two foundations on which OTP over SMS is built - cellular networks and mobile handsets. If the phone has been compromised or stolen, this authentication method offers no protection whatsoever. This security measure can be circumvented by dedicated hackers at a cellular network level as well, as in the recent example where mobile network hackers exploited SS7 flaws to drain bank accounts using stolen SMS codes.
- Email authentication - The sending of an email for authentication purposes suffers from a similar vulnerability as the SMS method. If the user’s email account has been compromised then the authentication email enables hackers unhindered access to all of the user’s emails. Last year a massive Gooligan attack campaign successfully breached over a million Gmail accounts, giving hackers access to user data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more. Once the email address has been compromised, hackers can easily authenticate fraudulent transactions.
- Static biometrics - Rather than relying on something you have, static biometrics is more sophisticated because it relies on something you are. It is often used in banking applications, where users can sign in with a fingerprint. This method may rely on various identifiers, such as a fingerprint, retinal scan or facial recognition. Nevertheless, this method is not foolproof because sophisticated malware only goes into effect after the one-time multi-factor authentication is performed. This way the malware can overtake the session after the user has been successfully authenticated. So this type of authentication can still be stolen or faked, despite having used an inherent individual trait.
The problem with the four methods mentioned above, is that one-time authentication is inherently flawed. Once the user has been authenticated, there are no means of preventing an attacker from overtaking the legitimate user session to steal sensitive information, authorize fraudulent transactions or alter data associated with the user, such as a phone number or an email address.
Upping the Multifactor Authentication Ante
Due to the fact that accurate initial identification cannot ensure true ongoing authentication, new methods are being created to ensure that the user is actually who he says he is throughout the transactional process. As part of the upcoming PSD2 directive, the European Union recently recognized behavioral biometrics as a strong method of authentication. This method constantly monitors and identifies a user’s many individual behavioral patterns, such as how he interacts with his mobile device.
These highly personal patterns cannot be replicated by hackers, so even if they were able to hack a user’s credentials to gain initial entry, they would be unable to continuously authenticate themselves throughout the session.
Want to find out more about how continuous authentication actually works? Watch this space for more!