Mobile Authentication Challenges – Two-Factor not so Two-Factor
Two-factor authentication has had a bit of a coming out this year. With many large internet players offering their own two- factor SMS products, consumers are getting accustomed to a technology formerly reserved for big dollar investors and secure access employees.
The credit for the proliferation of two-factor is the ubiquity of the mobile platform and the rise of tokenless two-factor authentication providers. While tokens are expensive to produce, SMS is cheap, on demand, and more secure. Since almost everyone has a phone available to access their account, and SMS based two-factor is now very simple to deploy on a non-enterprise level, mobile banking is easy to provide. But where SMS giveth a second factor, smart phones taketh some security away. When users are accessing a secure portal (say, your banking application) from their smartphone, SMS doesn’t matter. If a user has the application remember his credentials and then you send them an SMS, all a phone thief has to do is check the text messages of the phone. A second factor is only secure if it is separate and distinct from the access point.
After SMS, other vectors begin getting cumbersome and inconvenient. We can’t assume a customer will carry something besides their phone, so we are reduced to the final method of authentication for additional vectors – “What you are.”
As we discussed in our previous article, inconvenience is the enemy of mobile applications. Interactive voice response (IVR) is a technology consumers try to bypass. Biometrics, thumbprints, retinal images are all vectors that, while evolving rapidly, haven’t seen widespread adoption and still make consumers a little queasy. Do we really expect them to trust a bank to keep digital thumb, voice, and / or retinal details?
What is the CISO to do? Protect the bank? Let user experience dominate security and hope attacks come at “the other guys?” Stay tuned for a different approach to mobile access.
This post was contributed by: