Problems with SMS-Based Two-Factor Authentication Systems

Many websites and online companies are now relying more on smartphones as a second factor for authentication. Although many online banks have used SMS-based verification for transaction verification, some major websites and businesses in non-regulated industries recognize the need for stronger online security. Google had two-factor authorization made available earlier this year. Facebook has now also added two factor authentication SMS OTP.

It is great news that more websites have strengthened online authentication. If you think about how sensitive and personal information people share online, it is obvious that relying only on one layer for password protection is inadequate. Not only is it not secure, but also sending a single-time password or authentication key via SMS text message can be dangerous, as they are often in clear text. The security of mobile phones is not very good. Anybody could steal or lose the phone and read the text message to verify the authenticity. An SMS message can also be intercepted, forwarded to another telephone number and used to send the authentication code to a cybercriminal.

Cybercriminals will continue to target businesses that rely on mobile phones for out of-band authentication. Therefore, businesses need to use a more secure approach and not just send a simple SMS message. For consumer-facing websites, it is important to balance security and usability. It is unlikely that users will adopt complex security strategies on the Internet.

Displaying a type of image-based challenge on the smartphone to generate a onetime password (OTP) is a more secure and user-friendly approach. It is possible to do this by having the user select certain categories of items that they can remember. If out-ofband authentication is required, the company can trigger an app to display randomly generated grids of photos on the user’s mobile device. The user authenticates their identity by simply tapping the pictures that are within their secret, pre-chosen categories. Although the grid displays different pictures, each user will look for the same categories. This authentication challenge generates an image-based, unique “password” that can be used to authenticate the user. Each time it is used, it will be different – a true OTP. The user must only remember their three categories (in our case, cars and flowers).

It’s more secure to send the user a type of knowledge-based authentication task via their smartphone than an SMS with the code displayed in cleartext. The interaction takes place completely out-of-band through the mobile channel. The mobile application communicates directly and securely with the business server to confirm that the user authenticated correctly. Furthermore, even if another person had access to the user’s phone they would not be in a position to authenticate the user correctly as they do not have access the user’s secret category information. This secure two channel, two-factor authentication process will help protect against sophisticated malicious attacks like manin-thebrowser (MITB), or manin-the_middle (MITM).

Accessibility is as important to security as it is to ease of usage. The majority of Internet users won’t use security systems that are too complex, and online businesses don’t want to make it difficult for their users. The image-based authentication process is much more user-friendly. Users simply need to recall a few categories from their favorites and tap the appropriate images. This is much better than typing long passwords using a tiny phone keyboard, or correct copying an alphanumeric codes from one’s phone’s text inbox to the page on the computer. In fact, a survey conducted by Javelin Strategy and Research group confirmed that 6 out of 10 consumers prefer easy-to-use authentication methods such as image identification/recognition.

Google and Facebook have set an example for other websites and online companies by providing two-factor authentication. However, criminals increasingly target mobile authentication methods to intercept SMS text messaging. It will be crucial for businesses that they use a type or knowledge-based challenge to authenticate users, and not just send a plain SMS code.