The Coronavirus pandemic has led to rise in hacking and phishing activities. Activities like SIM
swapping, fraudulent emails, clickbait links on the Internet are on the rapid rise these days
and traditional authentication measures like receiving codes on SMS aren't sufficient in
protecting your personal and online accounts. SMS based notification alerts have been in use for
a long time and unfortunately, they aren't secure anymore. Let us look at the shortcomings of
SMS based authentication system and then explore the possible resolutions.
Why SMS isn't sufficient?
Over the years, hackers have tricked mobile connectivity carriers into porting a number into a
new device. This is known as SIM swapping and it allows hackers to gain access to your phone
number. Plus, it is not very difficult for hackers to know the last digits of your Social
security numbers or your banking credentials-these inputs often get leaked from bank system.
Combine these two and your personal information can be easily compromised.
Plus, there is a significant weakness in mobile telecom system, known as a SS7 attack. During a
SS7 attack, a hacker can listen to your phone call, read text messages and see your location.
The drawbacks listed above makes SMS based authentication system very unsafe. A more advanced
method is to use Authentication apps instead. Let us explore them below
Authentication apps
If you attempt to login to Gmail through an unrecognized device or location, Google will send you
a prompt, asking you to verify yourself first. A picture code is displayed on the screen and the
same code is sent to your mobile phone as well. You would need to tap the code on your phone
before the app allows you to proceed. This is how app-based authentication works. Apart from
Google, there are other players in the game as well such as Microsoft Authenticator or Authy
etc.
These authentication apps are more secure than SMS. Unlike SMS which stays on your device
forever, the codes generated by the apps last for 30 seconds or less. Also, you are required to
tap the code, instead of manually entering them. This further enhances the security.
There are many apps which support this type of authentication system. You would just need to
activate the feature. This way you will automatically get push notifications, that require a tap
for authentication.
Having said that, Authentication apps, just like SMS are a type of two factor authentication
(2FA) and two factor authentication systems have serious shortcomings. Let us explore them below
Drawbacks of Two Factor Authentications (2FA)
Two step verification systems (for e.g. the SMS feature or the authentication apps) is a more
secure way than one factor authentication (which only includes entering the password).
Nevertheless, there are plenty of shortcomings of a 2FA system which makes them vulnerable. The
demerits of only a SMS based is already described earlier in the blog. There are other scenarios
too which makes 2FA an inconvenient feature. For e.g. when Hurricane Harvey and Irma hit North
America, the power setup of affected areas were badly damaged. People didn't had electricity to
charge their mobile phones and thus, they couldn't log into their financial and social media
accounts.
Also, recovery options contradict the entire notion of 2FA. If you are able to recover your
factors using simple recovery measures then the hacker can do the same. However, without
recovery options, you can lose your account.
In addition, hackers can use Two factor authentication to shut you out of your own account. They
can change your login credentials and you can forever lose access to your sensitive data.
Multi Factor Authentication
Over recent years, Multi-factor authentication has emerged as a viable replacement to Two factor
authentication. Multi-factor authentication (MFA) replaces two factors of identification with
multiple factors. For e.g. in addition to password and SMS/authentication app code, you might be
asked to add your fingerprint/facial recognition etc. These added layers make your login session
more secure and prevent you from external hacks/breaches.
Typically, Multi factor authentication consists of the following elements
a. Items that you know. For e.g. your Password etc.
b. Items that you have in your possession. For e.g. smartphone or badge.
c. Items which are an inherent part of you. For e.g. biometrics, fingerprint sensors, voice
recognition etc.
Multi Factor Authentication mainly uses a combination of the following elements for
authentication:
a. Smartphone generated codes
b. Badges, USB and other devices
c. Certificates or soft tokens
d. Facial recognition.
e. Behavioral analysis
f. Security question answers.
g. Codes delivered to email addresses
h. Fingerprints
MFA works by considering behavior of the users and the situational context while authenticating.
These mainly include
a. Where is your location? Are you at your home network or are you outside over an insecure Wi-Fi
network (like cybercafes etc.)?
b. At what time are you trying to access? Is it during an odd time?
c. Which device is being used to access? Is it a smartphone or a laptop/desktop?
d. What kind of network you are in? Is it public or private?
Adaptive Authentication
Adaptive Authentication is a type of Multi-factor authentication which leverages advanced
technologies like Artificial Intelligence and Machine learning etc. The idea is to use these
technologies to detect unusual logins and flag them to users. It also prescribes better usage of
MFA in scenarios it deems risky. For e.g. if you are trying to sign-in from a cafe then Adaptive
authentication will give you harder MFA elements. If it becomes a regular occurrence i.e. you
visit the cafe daily during that period of time then MFA questions will become easier. In short,
Adaptive authentication typically monitors your user activity and then suggests the best
possible identification measure while flagging risky scenarios.
Conclusion
In the modern business landscape, more and more people are working from home and this has
brought the subject of secure access into limelight. Businesses must have advanced identity and
access measures which are secure and can support a variety of scenarios. Unfortunately, two
factor authentication (2FA) is heavily outdated and it has serious security shortcomings. Over
the recent years, Multi-Factor Authentication has been gaining lot of ground as they provide a
safer identity setup. With the advent of adaptive authentication, it is becoming even harder for
hackers to cause a breach as the technology examines the user activity and then gives customized
authentication locks to open.
Even from a consumer perspective, this is a welcome change as now their access is more secure
and they can be assured that their sensitive inputs won't be compromised. Multi-Factor
Authentication and especially Adaptive authentication is the present and future of the Identity
and access management landscape.