For years, security experts have encouraged developers to protect their applications by implementing multi-factor authentication (MFA) as an additional layer of cybersecurity other than passwords. But unfortunately, this has proven to be inadequate. According to a survey conducted by Sift, account hijacking scams increased by 250% in 2020, despite the addition of MFA.
About the author
André Ferraz is the founder and CEO of Incognia.
Scammers quickly learned how to bypass the most common MFA methods such as one-time passwords (OTPs) and facial recognition. This article discusses issues related to OTP and facial recognition as some of the most common and effective forms of MFA.
The main security issue is that phishing and social engineering attacks, which are the main causes of identity fraud, can allow users to pass one-time passwords to fraudsters. Fraudsters can win the trust of their customers and persuade them to provide their credentials via email, phone, or social media.
Another security issue is that OTPs can be easily intercepted. Scammers quickly learned how to bypass the most common OTP methods. For example, SMS can be intercepted on a large scale, and phone numbers can also be compromised by SIM swap attacks. It is not the most secure channel as consumer emails are also easily compromised. For example, in 2018, it was revealed that only 10% of users adopted the two-factor authentication (2FA) option in Gmail.
Another major problem with OTPs is that they cause excessive friction on the user and affect the user experience. Undoubtedly, it’s more frictional than a regular password. This added friction ultimately leads to customer drop-offs and low retention. A recent study clearly shows that less than 2.5% of Twitter users have activated OTPs, and that users chose convenience over security.
Face recognition problem
With the introduction of Face ID in 2017, Apple has brought many people’s facial recognition technology to the forefront. Facial recognition today is commonly used to unlock phones and authenticate users to online services. But it is also the target of scammers. Human faces are static data and cannot be modified. If this data owns a malicious person, the owner of that data will never be able to safely use it as proof of identity.
Scammers use data from many sources, including social media, to trick facial recognition systems. More advanced attacks are also being developed. A recent treatise published by Israeli researchers describes the development of neural networks that can generate “master” faces. Each face image can be spoofed with multiple IDs. This work uses only nine faces synthesized by the StyleGAN Generative Adversarial Network (GAN), and through three major facial recognition systems, such a “master key” for more than 40% of the population. Suggests that can be generated.
How can I make the authentication flow more secure?
Balancing security and user experience is not an easy task, but the good news is that there are many innovations in the security industry. In recent years, new technologies have been developed to address the UX and security dilemma. This is done by providing passive authentication technology that works silently in the background.
An example is device fingerprinting technology, which can silently recognize devices based on their unique attributes and determine if they need to be trusted. Most apps and websites already use this technology. In addition, another type of passive authentication method called behavioral biometrics has been introduced. Behavioral biometrics identify authorized users based on mouse or touch screen gestures, typing methods, and how they hold the phone. Unfortunately, most behavioral biometric solutions require time to train and achieve high performance, and the integration process can be complicated.
Due to the growing relevance of mobile as the main online channel these days, we are leveraging locational behavior data from sensors on devices to identify when users are accessing or trading in trusted locations. increase. A recent study conducted by Incognia found that 90% of legitimate logins and 95% of legitimate high-risk transactions originate from trusted locations that are part of a user’s normal routine, such as at home. I did. , Office or your favorite restaurant. The biggest advantage of leveraging location behavior is a failure rate of once in 100 million transactions, which is very effective in assessing risk, requires no user action, and provides the best possible user experience. is.
There is no silver bullet in the security space, so developers should choose a layered approach. Ideally, your app will leverage passive authentication for most low-risk scenarios and will only bring MFA friction if high-risk is identified. That way, the app can provide legitimate customers with a frictionless authentication experience, but keep scammers away.
Why MFA isn’t enough to protect you
Source link Why MFA isn’t enough to protect you