Multi-Factor Authentication (MFA) is a key requirement in ensuring a safe and secure transaction in the digital world. It’s defined as an electronic authentication method in which an event is verified only after successfully presenting two or more factors of authentication mechanism evidence. These factors are:
- Knowledge: Something that a user knows, e.g., PINs or passwords
- Possession: Something that a user has, e.g., a device or token (could be hardware or software)
- Inherence: Something that the user is, e.g., biometrics or behavioral characteristics
Most industry-wide strong authentication guidelines such as the National Institute of Standards and Technology’s (NIST) guidelines in the US or PSD2 SCA (strong customer authentication) rules in the EU follow the above guidelines or even mandate at least two of the above three factors be satisfied prior to the approval of high-risk events.
SMS OTP, Though Popular, Has Known Vulnerabilities
Currently, the use of MFA in online banking, payments, and other high-risk events relies heavily on SMS or voice one-time passcodes (OTPs). The usage of SMS as a delivery channel has multiple benefits: device- and network-agnostic, customer usage ease, organization administration ease, and database addition of telephone numbers.
Despite these benefits, OTPs have their own drawbacks. They can be subject to man-in-the-middle attacks and can be compromised by SIM-swap fraud. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another study on the top five US prepaid carriers conducted last year highlights that 80% of SIM swap attacks were successful because of authentication vulnerabilities.
This is not an issue that is confined to the US. It is a global one. For example:
- According to Kaspersky’s Fraud Prevention Report, account takeover incidents in the finance industry increased by 20% in 2020 compared to the previous year.
- In the UK, £10 million has been lost due to SIM-swap fraud since 2015.
- Brazil and Mexico have the highest rate of card-not-present fraud in LATAM.
Strengthening Multi-Factor Authentication Using Phone-Centric Identity™
With a rise in SIM swap and man-in-the-middle attacks, strengthening OTP is critical for companies who want to continue using it as a multi-factor authentication method. Factors such as length of the OTP, expiration period, delivery channel, and dynamic linking are important attributes to ensure safe usage of these one-time tokens.
At Prove, we are constantly experimenting with different combinations of these attributes for various use cases such as onboarding, transaction validation, and customer servicing to ensure it becomes harder for bad actors to compromise OTPs. Prove’s phone-centric approach revolves around strengthening MFA using additional signals such as device type, phone line type, device activity, SIM tenure, and other line attributes to allow customers to “Know-Before-You-Send.”
Here are some next-gen methods that can help fortify MFA:
- Passwordless Authentication: Our Mobile Auth solution connects with mobile networks to verify that activity is coming from an expected device, authenticating customers without the need for easily compromised passwords or PINs. Since it is built on core network infrastructure, it is a secure and frictionless method to strengthen a customer’s authentication flow, either as a replacement for OTPs or fortifying them.
- Secure Links: Our Instant Link solution replaces the traditional SMS OTP with a secure SMS link message. Utilizing a combination of active (SMS delivery with user action required) and passive (checking against phone intelligence signals) it authenticates identities in real time when users click the link, creating a more secure alternative to the SMS OTP.
- Biometrics: Traditional biometrics limit fraudulent transactions through a user’s physical attributes. E.g., voice, fingerprint, facial features—while behavioral biometrics limit fraudulent transactions by analyzing the unique customer-device interaction patterns. E.g., location, screen angle, etc.
- Trust Indicator: Our Trust Score™ uses behavioral and phone intelligence signals to measure a phone number’s fraud risk and identity confidence in real-time. Scaled from 0 to 1000 (with a score of less than 300 classified as low-trust, high-risk), the Trust Score model can be implemented to secure use cases across account enrollment, login, high-risk events, and customer communications.
Apart from the obvious advantages in significantly reducing identity theft, advanced solutions in identity proofing and authentication deliver several revenue and operational upsides such as better consumer experience, enhanced exception management, and lower cost of fraud management.
The COVID-19 pandemic has accelerated the pace of digital transformation across industries. However, it has also opened the door for bad actors to take advantage of weak security implementations at various interaction points. Companies need to look beyond traditional methods and adopt solutions that fortify existing authentication practices to fend off improvised identity takeover fraud—Prove can help.
Prove’s MFA solutions are available in 195 countries globally. To learn more about how Prove can help with and reinforce your MFA needs, please contact us.
Get in Touch
Keep reading
AI tools can autonomously generate threat detection queries, sift through vast amounts of data, and pinpoint potential threats without manual intervention.
Deepfakes, while not entirely new, have reached a level of sophistication that challenges businesses that are trying to deliver frictionless digital onboarding to their users.
The Federal Trade Commission (FTC) received reports of a significant increase in SIM swap attacks in 2023, and Experian's 2024 scam forecast identified SIM swapping as one of the top threats, emphasizing the need for heightened awareness and preventive measures.
