Traditionally, authentication of users of web and mobile applications has been done with username/password logins. However, attackers soon found vulnerabilities that could be exploited. Users might use weak passwords, use the same password for multiple accounts, share passwords, etc.; even with strong passwords, attackers might use social engineering to persuade the human user to bypass the protection, e.g., by revealing the password to the attacker, presenting the credentials to a malicious site where they could be captured, and so on.
2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].
However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.
▪ Just because something CAN be used as an authentication factor does not make it a good authentication factor. Using SMS to deliver a short-lived One-Time-Password (OTP) to a user’s mobile phone (“something you have”), is an example of an authentication factor notorious for its weaknesses. SMS relies on decades-old legacy technology with known vulnerabilities.
▪ Implementation: the way an authentication factor is implemented can make a big difference in the viability of attacks/hacks against it. A little-known fact is that most mobile authenticator apps can be hacked surprisingly easily, e.g., attackers can get the seed to generate the same OTP in another authenticator by exploiting a Trust Gap [2]. Hence, the implementation should be well crafted to avoid various pitfalls.
▪ Resets/re-onboarding. Authentication factors need to be set up. Sometimes, they need to be reset, e.g., when a user forgets their password or when a software token is bound to a specific mobile device and the user gets a new phone. This introduces vulnerabilities that can be exploited. For example, if a helpdesk is involved, social engineering could be used to induce a reset in the attacker’s favor.
These days, cybercrime groups like UNC3944 [3] have reportedly been actively carrying out active attacks by exploiting vulnerabilities in the implementation and resets/re-onboarding of 2FA/MFA. Even some well-known organizations have been hacked.
It is no longer enough to use just any 2FA/MFA. Besides choosing reasonably reliable authentication factors, it should come with well-crafted implementations and minimize or even eliminating the need for resets/re-onboarding. A passwordless solution would eliminate the use of passwords that can be easily phished. Appropriate use of biometrics can also effectively eliminate the need for 2FA/MFA bypass or re-onboarding. Finally, a solution that can eliminate Trust Gap issues would have to be able to defend software against attacks and provide a strong identity to the app in addition to the user. A good solution that can meet the above requirements for strong mobile-based 2FA/MFA is provided by V-Key ID [4]. It builds on the foundations of V-Key’s V-OS Smart Token, a well-crafted implementation that solves Trust Gap issues, and adds innovations such as cross-platform privacy-enabled biometrics to minimize/eliminate resets/re-onboarding. It can be used to provide strong 2FA/MFA for both your employees (using V-Key Smart Authenticator) as well as your customers (incorporating V-Key ID within your app).
References
[1] NIST Special Publication 800-63 Part 3 “Digital Identity Guidelines,” https://pages.nist.gov/800-63-3/sp800-63-3.html
[2] “Most mobile authenticator apps have a design flaw that can be hacked”, https://www.businesswire.com/news/home/20211008005015/en/Most-Mobile-Authenticator-Apps-Have-a-Design Flaw-That-Can-Be-Hacked
[3] “Why are you Texting Me? UNC3944 leverages SMS ..”, https://www.mandiant.com/resources/blog/unc3944-sms-phishing sim-swapping-ransomware?s=01
[4] “Revolutionising Universal Digital Identities with V-Key ID,” https://www.v-key.com/resource/revolutionising-universal digital-identities-with-v-key-id/
ABOUT V-KEY
V-Key is an internationally-acclaimed software-based digital security company, headquartered in Singapore, founded in 2011. V-Key’s pioneering mobile technology powers ultra-high-security solutions for mobile identity, authentication, authorization, and payments for major banks, payment gateways, and government agencies.
V-Key is the inventor of V-OS, the world’s first and only true patented virtual secure element that uses advanced cryptographic and cybersecurity protections to comply with standards previously reserved only for expensive hardware solutions. V-OS’ tamper-resistant design allows for the secure storage of cryptographic keys, data, and application codes. The multi-layered security features of V-OS allow it to serve as the core security foundation on which a multitude of use cases can be built- Digital-only Bank, National Digital Identity, Digital Token, Smart Nation, Cardless ATM withdrawals, and Mobile Document Signing.
ABOUT FINTECH PHILIPPINES ASSOCIATION
Fintech Philippines Association is an independent, non–profit industry association representing the interests and growth of the Fintech community in the Philippines. Fintech PH aims to position the Philippines as a hub for technological innovation in financial services.
We are the largest financial technology trade association in the country. Established in 2017, it consists of over 145 Advisory, Corporate and Individual members.
Fintech PH is committed to furthering financial inclusion through technology and helping businesses from all industries harness financial technologies.