Security is a tricky thing. We often tend to believe that a more personalised and customised security experience is a safer one. This is a big misconception. And potentially a dangerous one when it comes to various security threats. Let’s dig a bit deeper.
A few years ago, the big tech players and numerous other platform businesses started offering a new security feature called two-factor authentication (2FA) and later multi-factor authentication. The premise was, and remains, great. Passwords alone simply aren’t safe enough. This is primarily because we, as users, choose passwords that are easy to remember and, therefore, often easy for malicious third parties to crack. Quick reminder: iloveyou is NOT a secure password! Or we choose secure passwords that are sufficiently complicated, but we use them repeatedly across different devices and platforms because then we only have to remember ONE difficult password. Sure, this may work. That is, until a cybercriminal finds out that password.
This behaviour is absolutely understandable, especially given the number of passwords that we generally have to recall. Estimates place this number at 100. It’s unrealistic to expect users to remember 100 unique and complex passwords. So 2FA and MFA were touted as a way to provide truly thorough verification, using a second means of authentication. Another factor, so to speak.
Just because it’s digital doesn’t necessarily mean it’s better.
Many people got on board the 2FA/MFA bandwagon. And the first companies promoting it sold it as a foolproof way to ensure the right person was being given access to password-protected data. However, these companies neglected to consider the lengths to which hackers would go to outsmart the latest security trend. And it turns out not all 2FA/MFA factors are equal. Some are significantly safer than others. Let’s start with an analogy to highlight the problem.
Let’s say you want to take cash out at an ATM machine. This procedure is pretty secure. Only you have your ATM card, and only you have your PIN. You need these two things – which two-factor authentication protocols would refer to as something you have (card) and something you know (PIN) – in order to take out cash. However, let’s say that this piece of information that you know was instead a single-use PIN provided to you by a third party. Perhaps someone standing next to you, shouting it out to you as bystanders stood around watching and overhearing your verbal transaction.
The majority of us would probably, and very wisely, reject this “security” measure. What good is a password or PIN if everyone around me knows it as well? However, we agree with almost exactly this approach to security when it’s packaged as a digital safety protocol. Specifically when we sign up for 2FA/MFA security and rely on one-time passwords (OTP) sent to us via email or SMS.
Why SMS and email simply aren’t secure links in the security chain
The smarter our security procedures get, the more workarounds hackers find to circumvent them. 2FA/MFA remain one of the best ways to provide strong identity verification and prevent unauthorised access to data and accounts. However, for the “something you know” factor, 2FA/MFA rely on a weak link. Namely, telecommunications.
Many services, including social media platforms and online payment providers, rely on OTP as an additional authentication factor for 2FA. When you attempt to log in to your account from an unknown device, these services will then send an SMS to your mobile device with an OTP to verify that you are who you say you are. However, there are many ways that this OTP can fall into the wrong hands between when it is sent and when it is used. Here are just a few of them:
- Multiple devices, one login: Many of our devices are interconnected. This is incredibly helpful and ensures that we are completely connected. However, it might also mean that an OTP sent to your mobile device also gets sent to your iPad, your laptop or even your office desktop. This is especially problematic if your devices provide notifications even when your screen is locked. Sidenote: it’s a good idea to turn off lock-screen notifications on all your devices for various security reasons
- Compromised SIM cards: If your SIM card is infected with malware, all your messages can easily be intercepted by third parties. Equally dangerous is a SIM card without its own PIN code. If your password-protected phone gets lost or stolen, a PIN-free SIM can easily be placed in any new device, and all your messages would be rerouted to that device. Another side note: make sure your SIM cards are PIN-protected!
- Fake SIM cards: It is unfortunately not impossible, or even terribly difficult, for a malicious player to get a new SIM card with your phone number. In that case, all traffic would be rerouted to the new device. That includes any OTPs.
So are 2FA/MFA still secure options?
As previously mentioned, the premise behind 2FA/MFA is solid. SMS (or email) is only a weak link. There are plenty of other factors and authentication tools that ensure the type of robust security that companies need and users expect from 2FA/MFA. Factors that rely on geolocation or physical authentication keys are much harder to fake or intercept than SMS OTPs. However, they’re not entirely user-friendly. The former can sometimes cause serious access problems for users (read more about geolocation complications in our article “The Risks of Sticking With Password-Protected Authentication”) and the latter requires that users always have their physical access key on their person.
However, there is another option – one that many of us literally have at our fingertips all the time: biometrics. Using facial recognition technology or fingerprint scanning that is installed in most mobile devices and many computers, it is possible to integrate one of the most secure 2FA/MFA factors available: something we are. In this case, a unique fingerprint or our one-of-a-kind face.
The Nevis Authentication Cloud integrates biometric authentication to provide a passwordless login process to users that is FIDO-certified. FIDO is a gold standard for secure, fast and simple online authentication and it makes it possible for companies to install hardware-supported authentication (a fingerprint or facial recognition) in their products. Which in turn makes it possible for users to easily register for online services with just their fingerprint or face. And most importantly, without a password.
How does the Nevis Authentication Cloud experience work? First, customers create an account using the standard registration process. This procedure is familiar to anyone who has previously created an online account. The user selects a username and then clicks on the “sign-in” button on their mobile device. The Nevis Authentication Cloud entity then sends a push message (a deep link for mobile-first) to the user’s mobile phone. After opening the message, the user can authenticate him/herself with the selected biometric method. Once the process is complete, the Nevis Access App confirms the user’s identity and the user is then automatically logged in to the platform or service.
As the whole problem with passwords has highlighted, the perfect security experience is not just about security; it’s also about comfort. The Nevis Authentication Cloud offers both.