RIP OTPs: Modernizing Multi-Factor Authentication (MFA) with Behavioral Biometrics

In their never-ending quest to protect mobile banking and digital payments from cybercriminals, financial institutions are going beyond fingerprint scans and iris recognition and implementing new and more advanced behavioral biometric technologies at an unprecedented pace. This new wave of biometric technologies, made possible by improved hardware and advances in machine learning, is poised to change the cybersecurity landscape forever, leaving some legacy technologies like OTPs in the dust. 

Last week, Prove’s very own Mitul Parmar, Director of Product Management & Corporate Development, sat down with UnifyID’s Founder & CEO John Whaley to discuss the imminent demise of one-time passwords (OTP) and the bright future of behavioral biometrics. Here are six big takeaways from this must-watch webinar: 

1. Despite its vulnerabilities, there are plenty of good reasons why OTPs are still popular.

For years now, the security vulnerabilities of OTPs sent via SMS have been well-documented, and yet the OTP remains the number one form of multi-factor authentication. Why? 

Ultimately, in lieu of better options, companies have decided that the consumer convenience enabled by OTPs outweighs the security risk OTP vulnerabilities pose. In short, the success of the OTP is driven not by its security but by the convenience inherent in its usage as an authentication method.

By shifting the conversation from one about the security weaknesses of OTPs to one about why it remains a popular form of cybersecurity provides a valuable insight into the future of cybersecurity. While OTPs will soon be a thing of the past, other forms of phone-centric authentication are here to stay. 

2. Speaking of OTP limitations, there are many.

Mitul and John venture that OTPs via SMS will be an unacceptable form of authentication within the next few years. The fundamental problem inherent in OTPs stems from the fact that the SMS infrastructure was not designed to send secure or encrypted messaging, which is why it is easy for cybercriminals to steal OTPs via interceptions, SIM swaps, or number porting.

Other less-known limitations that hinder the future growth of OTPs are related to the cost of sending SMS at scale internationally. While sending millions of SMS a day is inexpensive for a major corporation in the United States, it is cost-prohibitive in many other countries. Poor cellular coverage in developing countries also poses a major problem. 

3. We’re living in the “age of the security breach.”

If you’re reading this, there’s a good chance your information has been compromised from a security breach. In fact, according to Statista, there were 1001 reported data breaches in the United States in 2020 alone. Sensitive data stolen via security breaches is bought and sold on the dark web, putting consumers at risk. “If your information is on the dark web, it’s already being sold and resold, most likely multiple times over,” says Brian Stack, Vice President of Dark Web Intelligence at Experian. “Once it’s out there, you’re not going to be able to stop the spread of it.” To add insult to injury, sensitive consumer data is inexpensive; a social security number, for example, can be purchased for as little as $1. The increase in data breaches and the ease with which personal data such as passwords and social security numbers are bought and sold makes them less effective security tools, necessitating cybersecurity professionals to innovate.

In decades past, most authentication methods relied on “what you know.” This meant passwords, social security numbers, and PIN codes were used to authenticate a user. Because of the growing number of security breaches, however, authentication methods need to add elements that focus instead on “who you are” (biometric characteristics like gait, fingerprint, and iris analysis) and “what you have” (soft or hard tokens, including the mobile phone).

4. Remote working is driving the need for remote authentication.

COVID-19 caused an exodus of knowledge workers from offices, beginning a new age of remote work. Whereas in prior years, an actual office building served as a security barrier (only authorized individuals could access secure computers), this is no longer the case. The change from office work to work-from-home setups has made it imperative for organizations to up their game when it comes to developing robust remote authentication protocols for workers. By implementing behavioral biometrics and other advanced tools, IT professionals can make it easy for employees to login from anywhere while protecting the integrity of their workplace’s digital infrastructure.

‍

5. 80% of smartphones are compatible with behavioral biometrics.

Behavioral biometrics rely on advanced hardware to measure the unique characteristics of individuals. Fortunately, every new generation of iPhone and Android comes chock-full of new and improved sensors that enable more advanced forms of behavioral biometrics. The new iPhone, for example, contains a proximity sensor that “determines how close the iPhone is to your face,” an ambient light sensor that determines “how much light is available in the area surrounding the iPhone,” a barometer that “measures air pressure to determine altitude” and many, many others. When this data is analyzed with the help of machine learning, computer programs can create profiles for each user that capture an individual’s unique behavioral biometric characteristics. During logins, the current behavior can be compared with the established profile to authenticate a user. 

UnifyID’s GaitAuth™, for instance, relies on a smartphone’s various sensors to measure how an individual walks while holding their phone. Because an individual’s walking style is unique, it can be used to authenticate a user. Think of it as a fingerprint in motion. With accuracy levels of 1:50,000 false positive rate, GaitAuth is an extremely reliable authentication method to improve pass rates.

6. The future is frictionless.

Conventional wisdom in the cybersecurity community will tell you that with every new security feature added to an application, the number of customers who give up and drop out of the cumbersome process will increase. Fortunately, when it comes to the latest biometric technologies, conventional wisdom is wrong.

Because cutting-edge behavioral biometrics run primarily in the background, it offers a frictionless solution that increases security and improves customer experience.

GaitAuth, for example, tracks the unique characteristics of a user’s walking style when the user is living their everyday life. It doesn’t require the customer to do anything but go about their daily life. After the unique gait style is captured, it can be used to facilitate passwordless logins, improve MFAs, expedite call center authentication, and even curb promotion abuse.

To learn more about the future of digital authentication, check out the video recording of the webinar.

Get in touch

‍