Multi-factor authentication (MFA) is “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account” (Source: National Institute of Standards and Technology). Some examples of multi-factor authentication that you might be familiar with are:
While the MFA framework is not new (even older technologies like the ATM require you to swipe your debit card and enter your PIN before letting you take out cash), it is increasingly ubiquitous online. Today, logging into social media, signing into your email from an unfamiliar computer, and ordering food online will most likely require you to pass some kind of MFA process.
Two-factor authentication is a common subset of MFA. If an MFA security framework requires just two types of credentials, as is often the case, it can also be referred to as 2FA (two-factor authentication).
According to NIST, a credential is defined as “evidence or testimonials that support a claim of identity or assertion of an attribute...” So, think of a credential as a piece of evidence that proves you really are who you say you are. While the first type of credential that comes to mind is likely the password, there are many different types of credentials, all of which can be categorized into three sections:
Multi-factor authentication serves as an extra layer of security, designed specifically to prevent fraud caused by what security experts call the domino effect.
This is how the domino effect works, according to an article authored by Blake Ives, Kenneth R. Walsh, and Helmut Schneider:
“While password theft is a threat to the system from which the passwords were stolen, the network password vulnerability also threatens other systems. If users have many password-protected accounts and they reuse a password across more than one account, a hacker gaining access to one account may be able to gain access to others. If, for example, a hacker gains access to a weakly defended departmental file server and those passwords are stolen, those passwords could be used to gain access to a more secure corporate system. The hacker will reasonably anticipate that some users keep the same password on both systems. As e-commerce grows, the likelihood increases that a hacker who obtains access to passwords at a popular site might be able to use those user IDs and passwords at another site. For example, there is an obvious and probably sizable overlap between AOL and Citibank or BankOne and Amazon.com customers. A domino effect can result as one site’s password file falls prey to a hacker who then uses it to infiltrate other systems, potentially revealing additional password files that could lead to the failure of other systems.”
81% of hacking-related breaches leveraged either stolen or weak passwords (Source: Verizon Data Breach Investigations Report)
There are two primary shortcomings associated with today’s iteration of MFA:
Fortunately, the next generation of MFA solutions enables the best of both worlds and provides consumers with a more secure and frictionless experience.
Today, the one-time password (OTP) is a commonly used credential that verifies a user’s identity using something you have (a phone). At Prove, we call this ‘running a possession check.’
When a customer first creates an account, they enter their phone number. Later, when they log in or complete a high-risk transaction, a series of random digits is texted to their phone. To continue, they must enter the digits that were texted to them.
Recently, time-based one-time passwords (TOTPs), a subset of OTPs, have grown increasingly popular. TOTPs are simply OTPs with the added security benefit of a time limit. If you don’t enter the OTP within the given time, the OTP is no longer valid.
Despite their popularity, OTPs (including TOTPs) have security vulnerabilities that are worth noting as fraudsters have developed a tried-and-tested playbook to steal a victim’s OTP via a SIM swap fraud.
A SIM swap attack (a.k.a “port-out scam, SIM splitting, smishing or simjacking”) can be defined as a “type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.”
Due to a systemic vulnerability in our telephonic infrastructure exacerbated by social engineering, fraudsters can surreptitiously take over a victim’s phone, intercept the OTP, and successfully enter into a victim’s account in just minutes. There are multiple reports outlining the devastating effects of SIM swap fraud on a victim’s life.
SIM swap attacks are a common way for fraudsters to bypass many MFA flows by intercepting OTPs. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another recent study on the top five US prepaid carriers highlighted that 80% of SIM swap attacks were successful because of authentication vulnerabilities.
This is a global issue:
While SIM swap fraud and other forms of identity fraud are hurting both individual consumers and businesses, the good news is that we have the technology today to prevent these crimes from continuing. By leaving behind legacy technologies and investing in phone-centric identity, companies can reduce both fraud and friction. Here are four solutions that every company should have in their security flow:
Multi-factor authentication is fast becoming a norm in the digital world because it provides a critical extra layer of security. However, not all MFA flows are created equal. As fraud rates continue to rise, it’s crucial to invest in the next generation of tools to protect your customers and your business.
Contact us to learn more about how Prove can help you up-level your MFA.
Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences. Contact us today to learn how you can frictionlessly secure your digital consumer journey — from onboarding to ongoing transactions.
Tap the button below to read our latest white-paper on the subject as industry leaders.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.
Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.