Nowadays, if you log in to any online application, especially one from the banking sector, you will find that they are protected with an additional step of authentication. You would be asked to enter a time-based one-time passcode (OTP), generally delivered as a text message. According to a recent study from Google, enabling such two-factor authentication (2FA) on your accounts, a combination of your password and an OTP, can protect you from most forms of online attacks.
However, as 2FA gets adopted by mainstream users, it is increasingly being targeted to find ways in which it can be overcome. And of course, the weakest link in the whole chain is the one that is attacked the most – the SMS communication. Here’s an excerpt from Reddit’s announcement of a security incident they identified.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA”.
This incident at Reddit is not just a one-off occurrence. There are many such instances where this insecure link of communication was exploited. No wonder then that the German banks are planning to completely move away from the SMS-based authentication. Apple had also recently identified this as a weak link. They plan to address the risks associated with this by proposing a standard for browsers to adopt around SMS delivery of one-time passcodes.
More than Two is Better than Two
Going beyond just these two factors, something you know (your password) and something you have (OTP received on your phone through SMS), can help reduce some of these risks. The added factor that gets enabled commonly is around something you are (biometrics like a fingerprint). The most common approach these days is to use the apps, like Google Authenticator, for generating one-time verification code. These are software tokens that can be entered as an additional code during the authentication process. These apps can only be accessed by the user who owns the phone if it is protected by biometrics. On both Android and iOS platforms, such tokens can also be delivered directly as alerts to the verified devices registered under the user’s account.
Such security authenticator apps are a natural progression of hardware tokens, like RSA SecurID, where a physical device generates a token and have long been used for two-factor authentication. An open industry association by the name FIDO (Fast IDentity Online) alliance attempts to extend the platform-level biometric verification to the hardware devices. FIDO publishes specifications proposing protocols for the authentication technologies to support. The physical devices, generally termed as a security key, that support these protocols (for example YubiKey) can generate credentials that are significantly difficult to hack. The benefits of these security keys are not just realized for consumer applications. Many large enterprises including Google and Facebook are bolstering their employee’s work accounts by mandating them to use such security keys.
Why hasn’t the industry moved on then?
The sophisticated multi-factor authentication mechanisms sure are a step-up to protect users from the risks of simple password or SMS-based 2FA. However, they are comparatively a lot harder to take mainstream. Authenticator apps that generate software token need to be installed by the user on their smartphones, with the app protected with biometric. Further, every service that he or she wants to use needs to be registered with the app first. Hardware tokens like USB keys need to be carried along every time a service is to be accessed.
In short, every security step that is introduced affects the convenience from the user perspective. Most businesses aim to achieve the right balance between convenience and security for their users. From that perspective, SMS-based 2FA remains the solution of choice as it is simpler and does not change the regular authentication flow enough for it to become inconvenient.
The way forward
For organizations providing the authentication mechanisms for their end users, the process needs to be friction-less enough that more users enable them. There are efforts to consider another factor while forcing users to verify themselves, their context. Some examples of such context can be the location or the systems that the user is trying to log in from. If no anomaly is detected in the context, the authentication attempt can be considered valid and the user can be allowed to log in with a single factor. In case an anomaly is detected, the user would be forced to authenticate herself with multiple factors. Such flexibility in the selection of modes of authentication factors do help reduce the friction for the end-user.
For the users, harden your login with multi-factor authentication right now. Check what all modes are supported as factors in addition to the passwords. There is a growing list of regularly accessed sites that support some form of 2FA, enable that for your account. Avoid SMS or phone call based 2FA and prefer the software token apps like Google Authenticator whenever possible. But if a site only supports SMS-based 2FA, enable that too. It is better than just the password-based authentication. Protect your smartphone where you access your passcode or token with biometric. It is OK to bear with some friction if that will significantly enhance the security of your account.
Support for Multifactor Authentication at Seqrite
Identifying the importance of Multifactor Authentication, Seqrite supports MFA across its range of products and services. The confidential credentials for most of the processes are secured with some form of 2FA. Seqrite also considers additional contextual factors like time and location as important authentication metrics. The Endpoint Security solution offered by Seqrite also evaluates and mitigates risks associated with any fraudulent transactions.
For users, it is extremely critical to safeguarding their credentials. For companies, the users must be provided with mechanisms to support that. Enable MFA — avoid SMS-based 2FA.