The Problem With Common Two-Factor Authentication Solutions
More websites and online businesses today are beginning to rely on smartphones as a second factor of authentication.
Some online banks have been using SMS-based authentication for transaction verification but recently, major websites and businesses not in regulated industries are recognizing the need for stronger online authentication.
Earlier this year Google made two-factor authentication available to all users, and in the past few days Facebook also rolled out two-factor authentication.
It's great news that more websites are strengthening online authentication. When one considers how much sensitive, personal information people share on the Web, relying on a single layer of password protection simply is not enough.
However, sending a one-time password or authentication code by SMS text message is also not very secure, because they are often sent in clear text.
Mobile phones are easily lost and stolen and if another person has possession of the user's phone, they could read the text message and fraudulently authenticate. SMS text messages can also be intercepted and forwarded to another phone number, allowing a cybercriminal to receive the authentication code.
With more businesses relying on mobile phones for out-of-band authentication, cybercriminals will increasingly target this channel for attack -- meaning that businesses should use a more secure approach than simple SMS text message.
However, the challenge for consumer-facing websites is to balance strong security with usability. Complicated security schemes will not achieve widespread adoption among Internet users.
A more secure and easy to use approach is to display a type of image-based authentication challenge on the user's smartphone to create a one-time password (OTP). Here's one example of how it can be done: During the user's first-time registration or enrollment with the website they choose a few categories of things they can easily remember - such as cars, food and flowers.
When out-of-band authentication is needed, the business can trigger an application on the user's smartphone to display a randomly-generated grid of pictures. The user authenticates by tapping the pictures that fit their secret, pre-chosen categories. The specific pictures that appear on the grid are different each time but the user will always look for their same categories.
In this way, the authentication challenge forms a unique, image-based "password" that is different every time - a true OTP. Yet, the user only needs to remember their three categories (in this case cars, food and flowers).
Delivering a type of knowledge-based authentication challenge to the user's smartphone rather than an SMS message with the code displayed in clear text is more secure because the interaction takes place entirely out-of-band using the mobile channel.
Because the mobile application communicates directly with the business' server to verify that the user authenticated correctly, it is much more secure than having the user receive a code on their phone but then type it into the web page to authenticate.
Additionally, even if another person has possession of the user's phone, they would not be able to correctly authenticate because they do not know the user's secret categories.
This secure two-factor, two-channel authentication process will help mitigate more sophisticated malicious attacks such as man-in-the-browser (MITB) and man-in-the-middle (MITM).
Perhaps as important as security is ease of use. Most Internet users won't adopt security processes that are too cumbersome, and most online businesses don't want to burden their users.
Image-based authentication is much easier on users because they only need to remember a few categories of their favorite things and tap the appropriate images on the phone's screen, which is much easier than typing long passwords on a tiny phone keyboard or correctly copying an alphanumeric code from one's text message inbox on the phone to the web page on the PC.
In fact, a survey conducted by Javelin Strategy and Research group confirmed that 6 out of 10 consumers prefer easy-to-use authentication methods such as image identification/recognition.
More websites and online businesses should follow the example set by Google and Facebook by deploying two-factor authentication for users.
However, as criminals increasingly target mobile authentication methods and intercept SMS text messages, it will be critical for businesses to use a type of knowledge-based authentication challenge rather than sending an authentication code as a plain SMS text message.