What is Multi-Factor Authentication (MFA), and How Does It Work?

What is multi-factor authentication?

Multi-factor authentication (MFA) is “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account” (Source: National Institute of Standards and Technology). Some examples of multi-factor authentication that you might be familiar with are: 

• After you enter your username and password into your bank account, you must enter the one-time password (OTP) sent to you via SMS.
• After you enter the password to your brokerage account, you must undergo a face scan. 

While the MFA framework is not new (even older technologies like the ATM require you to swipe your debit card and enter your PIN before letting you take out cash), it is increasingly ubiquitous online. Today, logging into social media, signing into your email from an unfamiliar computer, and ordering food online will most likely require you to pass some kind of MFA process. 

What is the difference between multi-factor authentication and two-factor authentication (2FA)?

Two-factor authentication is a common subset of MFA. If an MFA security framework requires just two types of credentials, as is often the case, it can also be referred to as 2FA (two-factor authentication). 

What is a credential? 

According to NIST, a credential is defined as “evidence or testimonials that support a claim of identity or assertion of an attribute...” So, think of a credential as a piece of evidence that proves you really are who you say you are. While the first type of credential that comes to mind is likely the password, there are many different types of credentials, all of which can be categorized into three sections:

1. Something you know: Think passwords and PINs. 
2. Something you have: Think FIDO keys or phone.
3. Something you are: This is also called inherence. Think biometric data like fingerprints, face scans, and voice recognition. 

What are the benefits of multi-factor authentication?

Multi-factor authentication serves as an extra layer of security, designed specifically to prevent fraud caused by what security experts call the domino effect. 

This is how the domino effect works, according to an article authored by Blake Ives, Kenneth R. Walsh, and Helmut Schneider:

“While password theft is a threat to the system from which the passwords were stolen, the network password vulnerability also threatens other systems. If users have many password-protected accounts and they reuse a password across more than one account, a hacker gaining access to one account may be able to gain access to others. If, for example, a hacker gains access to a weakly defended departmental file server and those passwords are stolen, those passwords could be used to gain access to a more secure corporate system. The hacker will reasonably anticipate that some users keep the same password on both systems. As e-commerce grows, the likelihood increases that a hacker who obtains access to passwords at a popular site might be able to use those user IDs and passwords at another site. For example, there is an obvious and probably sizable overlap between AOL and Citibank or BankOne and Amazon.com customers. A domino effect can result as one site’s password file falls prey to a hacker who then uses it to infiltrate other systems, potentially revealing additional password files that could lead to the failure of other systems.”

81% of hacking-related breaches leveraged either stolen or weak passwords (Source: Verizon Data Breach Investigations Report)

What are the downsides of multi-factor authentication?

There are two primary shortcomings associated with today’s iteration of MFA:

‍

1. Friction: Most MFA scenarios make it more difficult and time-consuming to log into an account. Human attention is a scarce commodity in today’s fast-paced world, and requiring a customer to provide multiple credentials to log in can cause frustration. However, given the sky-high rates of fraud in today’s digital ecosystem, it’s clear that the security benefits of MFA outweigh the added level of friction. 
2. Security: The battle between the cybersecurity sector and fraudsters is always evolving as fraudsters constantly find new and innovative ways to bypass security measures. Unfortunately, many of the MFA flows used by companies around the world have security vulnerabilities that have been discovered by fraudsters and are exploited every single day. One-time passwords (OTPs), for example, are frequently stolen by fraudsters. 
   

‍

Fortunately, the next generation of MFA solutions enables the best of both worlds and provides consumers with a more secure and frictionless experience.

What is a One-Time Password? 

Today, the one-time password (OTP) is a commonly used credential that verifies a user’s identity using something you have (a phone). At Prove, we call this ‘running a possession check.’

When a customer first creates an account, they enter their phone number. Later, when they log in or complete a high-risk transaction, a series of random digits is texted to their phone. To continue, they must enter the digits that were texted to them. 

Recently, time-based one-time passwords (TOTPs), a subset of OTPs, have grown increasingly popular. TOTPs are simply OTPs with the added security benefit of a time limit. If you don’t enter the OTP within the given time, the OTP is no longer valid. 

Despite their popularity, OTPs (including TOTPs) have security vulnerabilities that are worth noting as fraudsters have developed a tried-and-tested playbook to steal a victim’s OTP via a SIM swap fraud.

What is SIM swap fraud or a SIM swap attack?

‍

A SIM swap attack (a.k.a “port-out scam, SIM splitting, smishing or simjacking”) can be defined as a “type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.”  

Due to a systemic vulnerability in our telephonic infrastructure exacerbated by social engineering, fraudsters can surreptitiously take over a victim’s phone, intercept the OTP, and successfully enter into a victim’s account in just minutes. There are multiple reports outlining the devastating effects of SIM swap fraud on a victim’s life. 

SIM swap attacks are a common way for fraudsters to bypass many MFA flows by intercepting OTPs. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another recent study on the top five US prepaid carriers highlighted that 80% of SIM swap attacks were successful because of authentication vulnerabilities. 

This is a global issue:

• According to Kaspersky’s Fraud Prevention Report, account takeover incidents in the finance industry increased by 20% in 2020 compared to the previous year.
• In the UK, £10 million has been lost due to SIM swap fraud since 2015. 

What are the best ways to secure your multi-factor authentication?

While SIM swap fraud and other forms of identity fraud are hurting both individual consumers and businesses, the good news is that we have the technology today to prevent these crimes from continuing. By leaving behind legacy technologies and investing in phone-centric identity, companies can reduce both fraud and friction. Here are four solutions that every company should have in their security flow: 

1. Prove's Mobile Auth™ solution connects with mobile networks to verify that activity is coming from an expected device, authenticating customers without the need for easily compromised passwords or PINs. This is a totally frictionless solution that runs in the background. 
2. PushAuth™ is a powerful tool to up-level your MFA flow. Instead of sending a passcode via SMS, PushAuth integrates with your existing Android and iOS apps and lets users approve or reject activity happening on other platforms or devices (eg, your website) with the click of a button. It also can silently authenticate and verify users in-app to provide an even more seamless experience. 
3. Prove’s Instant Link™, often referred to as a fortified OTP, authenticates identities by sending users a link via SMS rather than a series of numbers. It’s also more secure because it authenticates in real time. 
4. Behavioral biometrics are powerful tools that verify a user's identity by the unique ways they behave. Today’s technology is so powerful that it is possible to verify a user's identity based on how they walk, type, or even hold their phone. 
5. Prove’s Trust Score™ uses behavioral and phone intelligence signals to measure a phone number’s fraud risk and identity confidence in real-time. Scaled from 0 to 1000 (with a score of less than 300 classified as low-trust, high-risk), the Trust Score model can be implemented to secure use cases across account enrollment, login, high-risk events, and customer communications. It’s a powerful tool that allows companies to avoid sending OTPs to phones that have undergone recent SIM swaps.

Multi-factor authentication is fast becoming a norm in the digital world because it provides a critical extra layer of security. However, not all MFA flows are created equal. As fraud rates continue to rise, it’s crucial to invest in the next generation of tools to protect your customers and your business.

‍

Contact us to learn more about how Prove can help you up-level your MFA.‍