Fortifying Multi-Factor Authentication

March 16, 2021

Multi-Factor Authentication (MFA) is a key requirement in ensuring a safe and secure transaction in the digital world. It’s defined as an electronic authentication method in which an event is verified only after successfully presenting two or more factors of authentication mechanism evidence. These factors are:

  1. Knowledge: Something that a user knows, e.g., PINs or passwords
  2. Possession: Something that a user has, e.g., a device or token (could be hardware or software)
  3. Inherence: Something that the user is, e.g., biometrics or behavioral characteristics

Most industry-wide strong authentication guidelines such as the National Institute of Standards and Technology’s (NIST) guidelines in the US or PSD2 SCA (strong customer authentication) rules in the EU follow the above guidelines or even mandate at least two of the above three factors be satisfied prior to the approval of high-risk events.

SMS OTP, Though Popular, Has Known Vulnerabilities

Currently, the use of MFA in online banking, payments, and other high-risk events relies heavily on SMS or voice one-time passcodes (OTPs). The usage of SMS as a delivery channel has multiple benefits: device- and network-agnostic, customer usage ease, organization administration ease, and database addition of telephone numbers.

Despite these benefits, OTPs have their own drawbacks. They can be subject to man-in-the-middle attacks and can be compromised by SIM-swap fraud. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another study on the top five US prepaid carriers conducted last year highlights that 80% of SIM swap attacks were successful because of authentication vulnerabilities.

This is not an issue that is confined to the US. It is a global one. For example:

Strengthening Multi-Factor Authentication Using Phone-Centric Identity™

With a rise in SIM swap and man-in-the-middle attacks, strengthening OTP is critical for companies who want to continue using it as a multi-factor authentication method. Factors such as length of the OTP, expiration period, delivery channel, and dynamic linking are important attributes to ensure safe usage of these one-time tokens.

At Prove, we are constantly experimenting with different combinations of these attributes for various use cases such as onboarding, transaction validation, and customer servicing to ensure it becomes harder for bad actors to compromise OTPs. Prove’s phone-centric approach revolves around strengthening MFA using additional signals such as device type, phone line type, device activity, SIM tenure, and other line attributes to allow customers to “Know-Before-You-Send.”

Here are some next-gen methods that can help fortify MFA:

  • Passwordless Authentication: Our Mobile Auth solution connects with mobile networks to verify that activity is coming from an expected device, authenticating customers without the need for easily compromised passwords or PINs. Since it is built on core network infrastructure, it is a secure and frictionless method to strengthen a customer’s authentication flow, either as a replacement for OTPs or fortifying them.
  • Secure Links: Our Instant Link solution replaces the traditional SMS OTP with a secure SMS link message. Utilizing a combination of active (SMS delivery with user action required) and passive (checking against phone intelligence signals) it authenticates identities in real time when users click the link, creating a more secure alternative to the SMS OTP.
  • Biometrics: Traditional biometrics limit fraudulent transactions through a user’s physical attributes. E.g., voice, fingerprint, facial features—while behavioral biometrics limit fraudulent transactions by analyzing the unique customer-device interaction patterns. E.g., location, screen angle, etc. 
  • Trust Indicator: Our Trust Score™ uses behavioral and phone intelligence signals to measure a phone number’s fraud risk and identity confidence in real-time. Scaled from 0 to 1000 (with a score of less than 300 classified as low-trust, high-risk), the Trust Score model can be implemented to secure use cases across account enrollment, login, high-risk events, and customer communications.

Apart from the obvious advantages in significantly reducing identity theft, advanced solutions in identity proofing and authentication deliver several revenue and operational upsides such as better consumer experience, enhanced exception management, and lower cost of fraud management.

The COVID-19 pandemic has accelerated the pace of digital transformation across industries. However, it has also opened the door for bad actors to take advantage of weak security implementations at various interaction points. Companies need to look beyond traditional methods and adopt solutions that fortify existing authentication practices to fend off improvised identity takeover fraud—Prove can help.

Prove’s MFA solutions are available in 195 countries globally. To learn more about how Prove can help with and reinforce your MFA needs, please contact us.

Get in Touch

Keep reading

See all blogs
Fraud in the Age of AI: Meet the Shapeshifter

The COVID-19 pandemic not only changed the way we work and live, it also unleashed a wave of fraud unlike anything we've seen before.

Mary Ann Miller
July 18, 2024
Company News
Introducing Prove Link™ – Unlocking the Power of Identity for Any Business

To continue achieving our mission of accelerating trusted interactions on the internet, we’re proud to announce the introduction of the Prove developer self-service platform and the Prove LinkTM SDK. With these tools, it’s now faster and easier for any company to integrate our industry-leading identity technology into its brand operations.

July 16, 2024
Company News
Combating Deepfakes: Leveraging Phone-Centric Identity℠ Verification to Overcome Media-Based Vulnerabilities

Identity verification systems that depend on image or audio samples for digital customer onboarding are increasingly vulnerable to deepfake attacks.

Tim Brown
July 5, 2024