Multi-factor authentication: what is it and why your business needs it to win the race against cyber crime?
Using software to test millions of password combinations and tradable lists of email addresses, as well as taking advantage of the fact that 90 % of employee passwords are hackable in just 6 hours, cyber criminals are increasingly targeting business. And if fraud prevention is inadequate in your business, you’ll stand to lose as much as 3% of your annual revenue. The stakes are high, but the hurdles facing the hackers in the race against cyber crime need to be even higher.
Is Single Factor Authentication still adequate to fight cyber crime?
Authenticating identity in online purchases or even in accessing data at work often only requires an individual to know a user ID and password. On first principles this might appear to be two or multi-factor authentication as it’s increasingly known, since more than one id variable is used. However, only one factor is still involved – ‘something you already know’. This single factor process isn’t that secure: email addresses or passwords can often easily be changed without websites asking any further questions. Nevertheless, once multi factor authentication is applied (‘something you already own’) any attempt at id theft is virtually eliminated.
Single factor authentication solely relies on ‘something you already know’ so when people choose weak passwords, frequently re-use passwords or even fail to change passwords regularly, it’s not surprising that the hacks attack. Clearly, especially with the incoming SCA rules relevant to online card sales which we’ll look at later, what’s needed is an additional outside factor for authentication: ‘something you already own’ and, ideally, something we’ve always got to hand - our mobile phones.
The mechanics: multi factor authentication in practice
A mobile phone can simply be registered with a website as part of an initial account set up and then used for secondary security questions. When a user logs into a website, a phone call can be initiated to a registered mobile; an IVR script (automated voice) asks for a secondary credential, something pre-registered such as a date of birth or a special day, or even a random code shown by the website. In this latter case, individuals can be prompted to “Enter the 6 digit code number displayed on your screen”. Only by entering the correct code will a website unlock.
Mobile phone – multi factor authentication is cost effective and user-friendly
There are now more active mobile connections than people on the planet. So it’s easy to see why using mobile phones in multi-factor authentication readily champions the barriers of accessibility and familiarity. There’s no need for the mobile user to carry (and lose!) any separate hardware tokens such as a credit, store or identity cards. Furthermore, by making access easier the need for human interaction from call centre staff is drastically reduced. Instead, staff can be used more efficiently to deal with more cost productive tasks, keeping everyone happy!
The multi-factor procedure directly links the user to the registered phone, thereby constituting an effective second factor to verify the person logged in is the person he or she claims to be.
To successfully “hack” this process a list of user names and passwords (the first factor) needs to be broken AND then the call or internal number database (the second factor) intercepted. This pair of hacks although possible, is very unlikely. The hurdles just got too high.
SMS can be used, but is it as secure as voice?
It is, of course, possible to implement multi-factor authentication via SMS. However, it’s generally acknowledged that SMS is not as secure as voice, particularly in view of the recently well-publicised Google SMS SS7 hack. Short for Signaling System 7, SS7 is a communications protocol used by mobile carriers. Hacking into SS7 allows attackers to read SMS messages and therefore get around end-to-end encryption.
Multi-factor authentication and The Strong Customer Authentication (SCA) 2019
In so far as banks and PSPs are concerned, real multi-factor authentication must be up and running to meet the new SCA rules implemented by credit card providers, due in 2019. Presently only 1-2 % of online payments made through a pc or mobile phone need cardholder authentication. This is expected to rise to at least 25%, that’s 1 in 4 of online sales.
If you’re a company taking card payments, you’ll already be integrating with your PSP and will be looking to follow their rules as SCA requirements roll out. It’s expected that good practice implemented by adherence to these rules will naturally gravitate to include all companies in whatever capacity they implement identity authentication. It therefore makes perfect sense to implement a second layer of security now where id authentication is required. Take, for example, the swing towards BYOD (bring your own device) to the workplace: multi-factor authentication is ideally suited for employees to access their employers’ work-based systems.
We don’t need to tell you why you should stay ahead and win that hurdles race …
To discuss multi-factor authentication, call us now on 0333 202 1555 or email us at firstname.lastname@example.org. Our team will answer your questions and help secure the future of your business.