2017 Phone as an Authenticator; Methods, Benefits and Risks
What is the state of mobile authentication today? More and more organizations, especially financial institutions, are relying on mobile device authentication methods – where the mobile device itself functions as a way of “proving” that the right person is trying to access sensitive information. This becomes essential in an era when remote is a requirement – with organizations not only allowing, but demanding that employees work during “off hours.” A financial institution where employees are working on sensitive data at home, for example, can’t afford any security compromises.
Traditionally, OTP tokens (hardware based) have been used to ensure the identity of the party seeking to connect to that sensitive information. But the explosion of mobile devices makes hardware-based tokens impractical. In addition, many users balk at the idea of carrying around a bulky piece of hardware in order to access secure resources. In addition, a 2012 study indicated that companies could save as much as 95% of authentication costs by replacing tokens with smart device-based software solutions. In a study, Gartner said that “phone as a token are the methods of choice in a majority of new and refreshed token deployments, and have a larger installed base than OTP hardware tokens.”
As a result, organizations have pursued software-based token authentication, and with the popularity of smartphones, mobile authentication – especially in an environment where connecting to business from outside the office is as important as coming into the office – makes sense.
The question, of course, is how best to provide mobile authentication – keeping in mind security, total TCO for service providers, and UX issues for those who need to be authenticated. One approach would be hardware token. For some organizations, tried and true is the best solution – but requiring users to carry around a hardware token sort of defeats the purpose of using mobile devices.
Another method – more popular today in an age of robust cell and data networks – is OOB (out of band) authentication, where the user and the authentication server exchange authentication information via the device. OOB authentication can entail automated voice calls or SMS text messaging. However, according to Gartner, it’s mobile push that is the OOB authentication method of choice; a Gartner study says that 50% of enterprises using mobile authentication will by 2020 adopt OOB mobile push as a mainstay of authentication, compared to just the 10% who are using it today.
Push – backed by encryption and when used over a secure wifi network – allows for a much higher level of security than other OOB methods, we believe. It’s certainly much more secure than OOB SMS Authentication, which, in its latest guidelines on security, NIST, the US National Institute of Standards and Technology, says is now “deprecated.”
Indeed, NIST says, OOB SMS and voice modes can be vulnerable to hacking, especially in man in the middle attacks. “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators,” says NIST. As far as voice is concerned, out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.”
Advantages and risks of each phone-as-a-token method:
Mobile Voice call
in which the user and the authentication server exchange authentication information via a voice call. The user gets an automated call when they try to log in, and the authentication takes place when the call is answered:
– Eliminates need/cost for dedicated devices, Low cost, easily extendable to include as many users as necessary, runs on multiple devices/OS’s, a single device can be used to authenticate multiple resources, users take care of the device which belongs to them, can be used with landlines as well
Messaging costs (to organizations and users), requires that the device always be at hand, requires cell network coverage, vulnerability to social engineering (where hackers claim there is a problem with the phone and that calls need to be forwarded to the attacker’s phone)
in which the authentication server issues a text message (verification code or the like) which the user has to enter into the device. The authentication takes place when the correct response is given:
Eliminates need/cost for dedicated devices, low cost, easily extendable to include as many users as necessary, runs on multiple devices/OS’s, a single device can be used to authenticate multiple resource, users take care of the device which belongs to them,
Messaging costs (to organizations and users), requires that the device always be at hand, requires cell network coverage, latency issues (user often doesn’t know if a message was delivered), vulnerability to spoofing/malware, SIM splitting, etc., users could ignore messages (believing them to be spam/malware).
One Time Password (OTP) Apps
in which one-time password software tokens generate OTPs using the same keys (“seed values”) and algorithms as traditional OTP hardware tokens. The authentication takes place when the user enters the OTP on the login screen:
One Time Password – Advantages
Eliminates need/cost for dedicated devices, no messaging costs, users take care of the device which belongs to them, runs on multiple devices/OS’s, offers more security than OOB voice or SMS modes, allows for analytics as data is accessible to organization, users take care of the device which belongs to them.
One Time Password – Disadvantages
Require a suitable device (smartphone, tablet), vulnerable to malware, apps must be downloaded.
in which a user initiates a connection via an app, with the server responding either with a challenge or message that authentication has taken place. Authentication is done transparently, with the device and server exchanging encryption information.
Push Apps – Advantages
Eliminates need/cost for dedicated devices, low cost, easily extendable to include as many users as necessary, runs on multiple devices/OS’s, a single device can be used to authenticate multiple resources, users take care of the device which belongs to them, can use advanced cryptography security measures, offers very high level of trust
Push Apps – Disadvantages
Requires a suitable device (smartphone, tablet), vulnerable to malware, apps must be downloaded.
The Case for the Secret Sharing Scheme