It’s official, SMS one time passcodes (OTPs) are on their way out. NIST has issued draft national recommendations that deprecate SMS-based two factor authentication (2FA) and encourage the use of alternative authentication factors. This is not a surprise, rather an it’s about time measure that will only serve to allow consumers and businesses alike to transact with confidence as we move ever increasingly into a digital economy. As evidenced by the recent, staggering Yahoo data breach and spoken about in the first presidential debate, cyber security is paramount today.
Malware aimed at mobile banking and payment apps is increasingly prevalent proving authentication by SMS to be too vulnerable. Cell networks themselves are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (banking Trojans, adware, spyware, ransomware etc.) Brazil’s ongoing nightmare with banking crimeware is one of many cautionary tales compelling us to find better authentication mechanisms. In addition to a rash of banking Trojans, malware targeting their Boleto system (money order) has netted criminals nearly US $4 billion in the last two years.
In the US and worldwide, mobile malware is on the rise as evidenced by Checkpoint and SANS Institute reports, Kaspersky Lab research, a Nokia study of 100 million devices, FBI and FFIEC warnings, IBM experts, and many more such findings. Much of the newest malware is designed to commit banking or transaction fraud by spying on consumers’ credentials or intercepting SMS passcodes.
Even after years of massive PII data breaches, it’s been an uphill battle to convince consumers and companies that password protection is woefully insufficient by itself, and that 2FA should be enabled and required for all sensitive authentication scenarios. The primary problem with SMS methods, besides a fundamental vulnerability to hacking exploits, is that they verify only the device, not the person holding it. Multi-factor authentication (MFA) works by creating layers of defense, so that even if one factor is vulnerable, the protection holds. True MFA processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic. There are many options for next generation authentication; the challenge will be creating implementations that are seamless for the user and efficient (cost- and process-wise) for the authenticator.
While MFA requiring at least 3 factors is more secure, it is usually more cumbersome. Consumers who are growing accustomed to making purchases with one click or by waving their phone in front of a scanner will not be pleased with a three-step process, and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and exactly what types of security measures they will comply with and tolerate.
The NIST guidelines encourage moving toward biometric authentication methods, provided they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial recognition technology have been employed by law enforcement and government agencies for quite some time, they have only recently become practical for widespread commercial use. Likewise, smartphone use is now prevalent enough that most consumers can complete biometric authentication processes on the go.
If user experience best practices are carefully applied, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can’t be cyber-hijacked). Moreover, there are a variety of biometric methods, which can be used in combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to real-time scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.
The key is to take advantage of behaviors users already find natural and simple, such as taking selfies, scanning fingerprints, repeating voice prompts, and presenting standard government issued identity credentials (e.g., driver’s license, passport). HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint recognition options. Such methods will become increasingly common, especially in the face of regulatory response in the U.S. and abroad. Africa and Europe have already begun moving away from SMS-based methods.
With the increasingly mainstream adoption of cyber currency and other FinTech innovations, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so via their mobile device. Even in developed economies, mobile payment ecosystems are still being established, and many obstacles remain unresolved. Security and privacy are top concerns for traditional financial institutions, FinTech innovators, and consumers. Crimeware developers, hacktivists, and black market crime rings will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.
Singular security solutions will continue to be disrupted by cybercrime. We have to be willing to develop a variety of methods, use them in layers, and move quickly away from approaches that are proven insecure. Organizations such as the FIDO Alliance are working to develop specifications that provide for tools to supplant reliance on passwords. We must add digital layers onto existing, entrenched systems. For example, forensically validating a government issued identity document that it is therefore highly likely to be authentic and by matching a selfie to the photo on that ID document. Additional layers can be added, creating a continuum of authenticity and identity verification.
As virtual trust becomes a key component of everyday commerce, the mechanisms for validating that trust must be designed to withstand the unceasing attempts to subvert digital systems. The time to address faults in mobile identity verification is here, and the good news is that so are possible solutions.