Authentication has become a standard part of our lives - every secure app or website such as an eCommerce website or a banking application requires users to verify their login attempt beyond simply entering their password.
Asking users to verify their login attempt is called 2FA, short for two factor authentication. This is because users are asked for two ‘factors’ to prove their identity. One of these two factors is usually a password, and the other is a more secure factor such as a six digit code from an authenticator app, or entering an SMS OTP.
Authenticator apps and SMS OTPs are two of the most common two factor authentication methods in place, mostly because they are extremely easy to use. However, as user friendly as they are, they are far from strong. Two factor authentication codes are only as secure as the technology being used to deliver them. Cybercrime is always evolving, becoming more secure every day; ergo, it’s important to consider how secure two factor authentication methods are when choosing an authentication platform.
The problem with SMS OTP codes
SMS OTP messages are one of the most common ways to receive and utilize two factor authentication codes. Most websites that offer two factor authentication will offer SMS OTP message as one of their two factor authentication options.
But there are two inherent problems with sending and receiving SMS OTP codes: Problem one is that the technology is vulnerable to cyber fraud such as SIM swap attacks. SIM swap attacks do not take much effort for a cybercriminal to perform. All they need is access to one additional form of identifying information, such as a social security number. Then it’s simply a matter of the cybercriminal calling your carrier and migrating your number to a brand new SIM card.
Problem two is that SMS messages can be intercepted by hackers through a combination of technology and some nefarious moves. What makes this problem worse is that the end user will not know that their messages are being intercepted and rerouted to other devices.
SMS message interception can have far-reaching implications such as financial fraud and even identity fraud. Hackers can gain illicit access to your verification codes and, if linked to your banking application, can utilize these codes to gain access to your accounts.
SMS OTP code messages, while much better than leaving two factor authentication disabled, still is a flawed two factor authentication method. It is, inherently, insecure, which is why some people turn to a third-party authenticator app.
The problem with a third-party authenticator app
Another common two factor authentication method is to install a dedicated smartphone app such as Authy, Duo, or Google Authenticator. These third-party authenticator apps also have a couple of weaknesses.
When you sign up on a website and enable the third-party authenticator app time-based one-time password (TOTP), the authenticator app creates a unique code based on a combination of your secret key and the current time. At the same time, the website’s server generates a code using the same information. In order to grant you access to the website or app, the two codes need to match.
Unfortunately, cybercriminals, through sophisticated techniques and technology, can gain illicit access to a company’s password and secrets database, rendering the authentication method useless.
Another flaw with third-party authenticator apps is that the secret key is either displayed in plain text or as a QR code; it cannot be hashed or used with a salt, indicating a fundamental flaw with the technology.
FIDO as a passwordless authentication method
So how do businesses protect themselves? Companies across the globe should consider FIDO2, a passwordless authentication solution that addresses TOTP and SMS OTP concerns. Founded by the FIDO Alliance in 2012 to reduce the world’s reliance on insecure authentication methods such as passwords, FIDO2 security standards ensure:
- Security by eliminating the risks of phishing, password theft and replay attacks by utilizing unique cryptographic login credentials
- Privacy by ensuring user behavior cannot be tracked across websites and apps
- Choice and convenience by allowing users to select whichever device they prefer
- Scalability by utilizing simple JavaScript API calls that allows developers to easily deploy FIDO authentication across platforms
- Compliance with international standards such as the PSD2 directive and GDPR
How FIDO2 biometric authentication works
Forgetting authentication for a minute, think about how users unlock their devices, be it their mobile phones or their laptops. They more often than not scan their fingerprints, or perform a facial recognition scan to unlock the device and gain access. This is how FIDO2 passwordless authentication works: it uses a mobile device or laptop’s biometric scanners and cryptography to verify and authenticate users.
On a more technical note, FIDO2 creates a public/private key pair. The private key remains on the user’s device and the public key is used to register with one particular online service. When a user registers with an online service, this public/private key pair is created and is used to perform passwordless authentication.
FIDO2 vs SMS and TOTP
Here’s why FIDO2 is better than SMS OTP and TOTP:
- No user identifying information is stored on a server
- Biometrics are unique to every individual are are nearly impossible to steal
- There is no reliance on third-party authenticator apps or technology that can be intercepted, like SMS
FIDO2’s the underlying technology is much more secure than SMS OTP and TOTP, making it a future-proof experience.
Strong customer authentication solutions like LoginID empower organizations of all sizes with simple-to-integrate APIs and SDKs that make switching from SMS OTP and TOTP to FIDO2 biometric authentication, digital onboarding, digital identity verification and biometric mobile identity verification simple.
Get in touch with our team today to schedule a personalized demo.
