7 Challenges That Strong Customer Authentication Solves
Not all multi-factor authentication (MFA) or Strong Customer Authentication (SCA) solutions are alike, especially when it comes to mobile security. The user or consumer experience is crucial, after all that is the reason why smart phones are so popular. They make our lives easier. They can, however, be a weak link if not properly secured.
The volume of cyber attacks has increased significantly as the world’s reliance on all things digital is growing. In 2021, widespread cyber attacks reached a new high with a new attack every 39 seconds. The costs of cybercrime are also adding up to ever more eye-popping amounts. Organizations lost $1 trillion to cybercrimes in 2020 and that number is expected to top $10 trillion annually by 2025.
Compromised user credentials are still the primary means that attackers use. During one prominent attack from 2020, attackers built a network of 16,000 virtual mobile devices, then intercepted SMS one-time-passwords (OTP) to drain millions of dollars from mobile banking apps in a few days.
In Spring 2021, meanwhile, hackers stole cryptocurrency from about 6,000 Coinbase accounts after exploiting a multi-factor authentication flaw that allowed them to retrieve user account information by entering an OTP that was sent via SMS.
The damages from cyber attack breaches are dismaying — but no less so than the thought that they might have been prevented with stronger authentication security.
Consider Secure Channel-Based Push Authentication Instead of SMS OTP
SMS verification, or OTP sent via SMS, has become common in most markets around the world. It was the leading authentication method among the financial institutions HID Global surveyed in 2021, and the Ponemon Institute estimates it’s used by about one-third of mobile users — despite suffering from major security risks.
Push notification-based authentication coupled with an out-of-band secure channel, by contrast, gives organizations a more powerful combination of security, flexibility, and usability. Secure channel-based authentication uses cryptographic techniques to link a specific device to its owner’s identity, making it impossible for attackers to impersonate someone without physical access to the device. It’s more secure than SMS authentication because it doesn’t require service providers to send sensitive information to customer devices over an insecure network.
When combined with push notifications, the user experience is simpler than SMS systems. When push notifications appear on users’ phones, they must simply validate the request by making a binary choice to “Approve” or “Decline” it — rather than referencing and retyping an OTP received via SMS.
What Are the Top Challenges Strong Customer Authentication Alleviates in the Background?
Consumers typically see a very small portion of the authentication process, because most of it happens in the background. We see the challenges related to mobile authentication lifecycle in seven categories:
Challenge #1: Registering (and recognizing) the user’s device
One of the best ways to authenticate someone’s digital identity is to recognize when it is the intended user versus attackers using their device. Anti-cloning technology ensures that anyone who is trying to gain access through a cloned device will be stopped. iOS, Android and laptops each have their own anti-cloning technology to help prevent just that but that’s not enough. The strongest authentication solutions contain multiple layers of cryptographic protection.
Challenge #2: Provisioning secure credentials to the user
We can all agree that it is imperative to secure the process of supplying user credentials and managing their identities. This is, however, challenged when using a One-Time-Password (OTP) sent via SMS, the most commonly used method of authentication according to the institutions we surveyed in 2021. The most secure solutions ensure that the initial authentication is unique to each other, used only once and expire immediately after successful registration while providing the flexibility to adapt to existing processes of a business.
Challenge #3: Protecting user credentials
Credentials are vulnerable to brute force attacks. Having proper policies in place is key. There is no one size fits all for this and the authentication solution selected needs to be flexible to the particular use cases to offer maximum convenience with adequate security. Having a 15-character password requirement is in theory more secure than a four-digit PIN until we realize that most users write them down because they are harder to remember.
Challenge #4: Securing communications between the user, the app and backend servers
Unless encrypted, the data that is passed through insecure channels, can easily be intercepted. Insecure channels include communication between users and certain mobile authentication solutions. To solve or avoid this risk, it is necessary to establish trust between the authentication client and server. This ensures that the client not only connects to an explicitly trusted server but that the communication to the client can only be viewed by the intended recipient.
Challenge #5: Blocking zero-day attacks
New or zero-day attacks are on the rise and therefore imperative for applications to include mechanisms that can detect and halt attacks in real-time. Best-in-class solutions use a multi-layered defense to reduce the probability that any single bypassed control could lead to a disastrous security breach.
Challenge #6: Maintaining security throughout the customer lifecycle
The shorter the lifecycle of the cryptographic keys, the more secure the keys. This might seem like too simple of a statement, but to have shorter key lifecycles, organizations need to have tight key management and renewal plans. The best solutions on the market make it easy to configure the length of a key lifetime and have mechanisms to enable the server to renew device keys before they expire without requiring user intervention.
Challenge #7: Preventing brute force attacks
It surprises many to hear that brute force attacks, the use of trial and error to deduce login info and encryption keys, is highly effective. The most reliable mobile authentication solutions enable the customization of settings to specific use cases and policies. Some of those settings include delaying locks when users enter the wrong PIN or password or marking passwords invalid after a certain number of unsuccessful attempts. Another option is to use silent locks which means not telling them that it is the PIN or password that is incorrect when trying to authenticate or sign a transaction which makes it harder for hackers to know what to tweak.
Third Party Audits and Certifications
Many vendors claim to have top security but looking at third party audits and certification of compliance are the most effective way to ensure that an authentication solution is secure and able to keep up with the fast-changing landscape.
Internal reviews should verify the solution against a set of security controls based on the industry standards like the OWASP Mobile Security Project. External penetration audits and certifications — like the Certification de Sécurité de Premier Niveau (CSPN), awarded by the French National Agency for the Security of Information Systems (ANSSI) — can certify the solution’s robustness based on a conformity analysis and rigorous intrusion tests.
Safeguarding the consumer mobile authentication journey that spans the full lifecycle, from the registration of user devices to credential management and security audits, is no easy task. With careful consideration and techniques that take full advantage of device-level security features, you can deploy solutions that protect you against an ever-expanding landscape of threats.
Want to learn more about HID Approve, HID’s solution for secure mobile push authentication and transaction signing? Read the eBook >>
Caleb Wattles is a Senior Product Manager within the Identity and Access Management Solutions business area at HID Global. With 20 years of experience in IT Security and over 10 years in product management, he feels most in his element when solving customer problems, in particular those exploring the edge of better security and better user experience. Prior to HID, Caleb was with ActivIDentity, a company that was acquired by HID Global in 2010.