Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)



Similar documents
Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Improving Online Security with Strong, Personalized User Authentication

Multi-Factor Authentication

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

VoiceTrust Whitepaper. Employee Password Reset for the Enterprise IT Helpdesk

Multi-factor authentication

Two-Factor Authentication and Swivel

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

Balancing risk, cost and user experience with SMS for 2FA

Multi-Factor Authentication FAQs

Multi-Factor Authentication Job Aide

SECURING YOUR REMOTE DESKTOP CONNECTION

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Mobile multifactor security

How Secure is your Authentication Technology?

Mobile E-Commerce: Friend or Foe? A Cyber Security Study

Two-Factor Authentication Evaluation Guide

Modern two-factor authentication: Easy. Affordable. Secure.

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

A brief on Two-Factor Authentication

Password Management Evaluation Guide for Businesses

Why SMS for 2FA? MessageMedia Industry Intelligence

Guide to building a secure and trusted BYOID environment

How TraitWare TM Can Secure and Simplify the Healthcare Industry

Smart Ideas for Smartphone Security

Building Secure Multi-Factor Authentication

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

Hard vs. Soft Tokens Making the Right Choice for Security

Moving Beyond User Names & Passwords

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Tips for Banking Online Safely

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Remote Access Securing Your Employees Out of the Office

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Entrust IdentityGuard

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

Business Banking Customer Login Experience for Enhanced Login Security

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Internet threats: steps to security for your small business

Dangers of 'Good Enough' Authentication Solutions

STRONGER AUTHENTICATION for CA SiteMinder

a. StarToken controls the loss due to you losing your Internet banking username and password.

How Do I Log Into Mobile Banking?

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Online Gaming: Legalization with Protection for Minors, Adult Players, Problem Gamers

Welcome Guide for MP-1 Token for Microsoft Windows

WHITE PAPER Usher Mobile Identity Platform

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

The 4 forces that generate authentication revenue for the channel

An Innovative Two Factor Authentication Method: The QRLogin System

White Paper. The Principles of Tokenless Two-Factor Authentication

Transforming the Customer Experience When Fraud Attacks

Facebook s Security Philosophy, and how Duo helps.

1 P a g e. Lim Jun Yan, Undergraduate School of Information Systems Singapore Management University

TABLE OF CONTENTS. Introduction 3 OTP SMS Two-Factor Authentication 5 Technical Overview 9 Features 10 Benefits 11 About MobiWeb 12 Quality 13

10 Quick Tips to Mobile Security

Brainloop Secure Dataroom Version QR Code Scanner Apps for ios Version 1.1 and for Android

Soft tokens for SMS PASSCODE SMS PASSCODE 2014

IDRBT Working Paper No. 11 Authentication factors for Internet banking

What the Future of Online Banking Authentication Could Be

expanding web single sign-on to cloud and mobile environments agility made possible

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Beyond passwords: Protect the mobile enterprise with smarter security solutions

White Paper. Top Seven Phone Verification Challenges

User Behaviour Analytics

Vehicle Monitoring Quick Reference Guide

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Electronic Prescribing System (EPCS)

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Why is a strong password important?

2-FACTOR AUTHENTICATION WITH

User Identity and Authentication

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

Device-Centric Authentication and WebCrypto

EasiShare Whitepaper - Empowering Your Mobile Workforce

HARDENED MULTI-FACTOR AUTHENTICATION INCREASES ENTERPRISE PC SECURITY

Spring Hill State Bank Mobile Banking FAQs

It may look like this all has to do with your password, but that s not the only factor to worry about.

GLOBAL TELECOM INVOLVEMENT in the I D E N T I T Y E C O S YS T E M. July 2013

White Paper. Exceeding the Mobile Adoption Benchmark: Effective Strategies for Driving Greater Adoption and Usage

In the Cloud. Scoville Memorial Library February, 2013

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

S ven. Tips to Keep Financial Apps Safe & Secure

Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound

AB 1149 Compliance: Data Security Best Practices

Five Trends to Track in E-Commerce Fraud

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Two-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification

First United Bank. Mobile Banking Enrollment and FAQs

Experiences with Studying Usability of Two-Factor Authentication Technologies. Emiliano De Cristofaro

Alternative authentication what does it really provide?

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

Made for MSPs by an MSP

EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

Transcription:

Security in an Increasingly Threatened World SMS: A better way of doing Two Factor Authentication (2FA) January 2015

The Proliferation of The App World The revolution of the smart phone forever affected the direction of the business and technology worlds. It has experienced one of the fastest and broadest adoption rates of any hardware device in history. Analysts are predicting that mobile devices might overtake the computer as the main form of internet interaction by the end of 2014. It is a mobile age and people are constantly moving. And with the growth of the smart phone has been the emergence of the mobile application market and the transition of businesses from in-person, phone, or PC-based engagement with customers to anytime, anywhere mobile interactions. The phone has been transformed from a static communication tool into a media-rich environment with unlimited possibilities. Companies use the mobile platform to promote their business, connect with customers, sell products and services and gather information about their user base. They use 3rd party apps like Twitter and Facebook because it enables direct access to billions of people at the same time, instantly. The growth of smart and feature phones has also lead to the growth of SMS as a messaging platform. SMS is the leading way to send short messages between devices and is the broadest reach communication method available. More people have access to SMS than have access to clean water. Consumer app usage has given businesses a medium to revolutionize old industries like taxi services or the hospitality industry. With billions of people using smart phones, a mobile experience is now an expectation rather than a luxury. And as a result, businesses are increasingly integrating their customer services experiences into mobile applications to interact with their customers anytime, anywhere. 2

An Increasingly Threatened World The rise of the smartphone and the app centric world has also created a new avenue of security issues for both individuals and companies. Phones, as a result of the diversity of mobile app experiences, now store a wide variety of personal information that must remain secure: Credit Card Numbers Financial Records Social Security Numbers Health Records Online Accounts and Passwords Location History Contact Lists While smart phones provide a platform for endless possibilities, they also create an attack vector for hackers and identify thieves, creating risks for both businesses and consumers. Customer transactions are now taking place anywhere and at any time. People are using and storing their credit card information on phone apps operating on public networks. It is also common practice for people to purchase new devices and log into their accounts on multiple computers, both public and private. This makes it difficult for businesses to verify identities and user accounts as the devices they are tied to change on a regular basis. Resetting a forgotten password is a common inconvenience for the consumer, yet it creates an avenue for account theft. Businesses stand to lose customers if they cannot protect their customers accounts or financial information against theft, making account security and user verification a top priority. A unique risk to business has also arisen from using social media. It is now standard practice to use social media as a means of increasing business and brand recognition, but this practice has created a new avenue for public embarrassment. In 2013, the Associated Press Twitter account sent a report to its 1.9 million followers that there had been an explosion at the White House and that the President was injured. Within 60 seconds of the tweet, the Dow Jones Industrial Average fell 150 points and sent the crude oil industry into a frenzy. The AP was able to respond within 3 minutes of the false tweet, but the damage had already been done. In September of 2014, Apple s icloud was compromised in a very public and very embarrassing attack on celebrity photos. The vector: highly targeted attacks on celebrities using increasing common methods that compromised user names, passwords and security questions. Apple s response was to encourage strong passwords and two factor authentication. 3

Google s Gmail system was also attacked in September of 2014 when 5 million user ids and passwords appeared on a Russian bitcoin forum. As with the icloud attack, the vector was not through a breach of Google s email system, but through compromising the user devices. In response, Google shut down the email accounts and are enforcing stronger passwords and two factor authentication. New Security Measures Companies are taking aggressive measures to mitigate against application-related security risks. Most online accounts now require a complex username and utilize defenses against computer generated IDs. Strong passwords are the norm, reducing the effectiveness of brute force attacks. However, passwords can still be defeated by malicious keylogging technologies. Also, if the business doesn t store the passwords correctly, hackers can compromise a business entire customer base. The recent attacks on payment systems within the banking and retail industry are grim reminders of the ongoing threat to privacy and security. Due to the increasingly sophisticated attacks, something more is needed. Many companies are moving to out of band authentication methods, such RSA tokens. RSA tokens are effective because they create effective hardware or software delivered authentication codes to counteract common attack vectors. However, these can be difficult to implement because they require the user to download the software or to physically have the hardware token. Also, RSA is a more enterprise-focused solution with less applicability for business-to-consumer (B2C) or mobile solutions. 4

Mobile phone Two Factor Authentication, or 2FA, is becoming the new standard for security for B2C applications setup and login. In general 2FA can be achieved in different ways but is built on two of three constant variables. 1. 2. 3. Something a user knows Something a user has Something a user is User Name, Password, Security Questions, Social Security Number, Address, PIN, Email Mobile Phone, Security Device, ID Card, Authentication App, Soft Token, Email Fingerprint, Retina Scan, Biometric Mobile phone 2FA utilizes a phone (something the user has), in conjunction with a password, PIN or security question (something the user knows), to create and verify devices and transactions. 2FA is most often used in scenarios such as: Verifying new users and accounts Resetting forgotten passwords Preventing Account Takeover Password Reset Transaction Validation When a company is trying to decide on a 2FA approach, it is important to consider two things: User Experience: The experience needs to be familiar, however, the conversion rate is the important thing. If you have late or undelivered messages, your conversion rate will drop. Security: Authentication needs to be out of band. This means that email or social website verification is on the same network or band the internet and SMS uses a separate network the telco system. This prevents hacks via compromising a single band. While there are many ways to implement mobile 2FA, such as email accounts, security questions or tokens, the most broadly applicable, easiest method is SMS-delivered 2FA. As is mentioned above, SMS is the broadest reach mobile communication method, and applies to both smart phones and feature phones, and is available anywhere that a user can get a connection. 5

Telephone Numbers: Part of an Identity Telephone numbers have served as a personal identifier since the conception of the device. For the past 10 years, phones have served as a method of communication precisely because they provide a unique identifier for each user. A phone can send a personal communication from one person to another, which is exactly what is needed when 2FA is concerned. A phone number is a core element to an identity. Mobile phone numbers are typically not disseminated by users to businesses or individuals that the owner doesn t know or trust. It is, in very many respects, similar to a national identification number provided for citizens by the government to keep track of residents, and this makes it very useful in two-factor authentication. Six billion people use cell phones and have a unique number already assigned making cell phones a perfect candidate for 2FA. The Future of 2FA: SMS SMS is the perfect solution for businesses who want to protect their users and their reputation. It is not just for businesses with customers all over the world, it is for all businesses. It is a fast form of communication. Text messages are integral to main stream communications and the infrastructure is in place to make fast deliveries anywhere in the world. Six billion people already have SMS-enabled phones in their pockets, making SMS a very convenient way to verify identities on the go. SMS gives the companies a secure way of providing customers something they need to know, like a single-use access pin (variable 1), across a communication device they already have (variable 2). It doesn t require users to remember security questions or an additional password; all they have to do is respond to the prompts on their phone s display. On average, SMS messages are read within 90 seconds of delivery and have a 95% read rate. This makes SMS an ideal tool when matters of security are concerned. Businesses would be able to verify their customer s identities immediate or discover an attempted account theft very quickly. Using SMS for Two-Factor Authentication is not without risks. Businesses need to mitigate against three issues that might arise when using SMS as a method for 2FA. Deliverability: Although SMS is available globally, message delivery performance can vary widely depending on local carrier network conditions. Latency: Speed is of the essence with SMS-delivered 2FA. Message latency will differ based on message routing algorithms and carrier network status. Compliance: SMS messaging policies around the world are often complex, with specific regulations regarding message content, URL links or the use short codes. Because of these issues, it is best to implement SMS-delivered 2FA as part of an overall solution that will help ensure high deliverability, low latency and global compliance. 6

Conclusion In the modern technology age, account security and user identification are essential. Whether a small startup or a large corporate enterprise, companies must be connected to their customers and protect them. As the world becomes even more digital, knowing their customers and being able to verify their identity instantly will become more and more critical. Customers must trust the companies they work with and each time an account it stolen or compromised, the trust between customer and company is hurt. Businesses want to deliver personal experiences and build trust. Interacting with customers through SMS is a first step. Source: waagsociety, Flickr. Online image. May 22, 2013 7

15 Best Practices If you are ready to implement 2FA in your business, below are 15 best practices you should consider. Best Practice Use existing factors to verify all 2FA Only allow one account per phone number Pick a primary authentication option e.g. text or call Have a dropdown menu for country code Use Best GooglePhoneLib Practice to pre-populate a user s country code based on IP address Measure fluctuations in conversion ratio Use TTS as a backup for SMS Utilize high quality SMS routes Allow each user to request no more than two SMS messages Description Prevent fraudulent account takeover by verifying account changes with existing factors. For example, if the user attempts to change their number, make sure to use any available information such as alternate email addresses to reduce the likelihood of fraudulent changes. This is an easy way to prevent fraudulent account creation. By requiring a valid phone number and limiting that number to one account, it prevents someone from creating multiple fraudulent accounts. Reduce user confusion by asserting a primary authentication method and using the other one as a backup. Avoid having to make the user guess or research what country code they have Allow Description the user to select their country, then use Google PhoneLib to ensure the number is formatted properly By measuring and testing variables in your conversion process you can improve the amount of users you acquire. This means more revenue and less abandonment in the process. Sometimes SMS can t be delivered or the person doesn t know to check their messages. By using a text-to-speech call as backup when the user doesn t enter a code, you can improve conversion by as much as 15%. The world of international SMS is full of shady suppliers who will offer you extremely low prices. With SMS, you get what you pay for. Ask for direct connections where possible to improve delivery rate and decrease message delivery latency. Each SMS costs money and if they don t convert in two messages its unlikely they will after more 8

Force the user to wait 60s for their code to arrive before being able to request another one Force the user to wait 60s for their code to arrive before being able to request another one Force the user into TTS or alternate authentication after two attempts Send SMS in the local language Accept both codes if a user requests 2 messages or send the same code twice Send SMS in the local language Add a dash in the middle of the numbers Each SMS costs money and if they don t convert in two messages its unlikely they will after more Sometimes messages get delayed or the user makes a mistake, avoid sending unnecessary repeat messages by adding a delay between requests If your primary method of authentication doesn t work the first two times, force the user to try a different method Send instructions in the local language to avoid confusion If a user does request two codes, sometimes they will enter the older one first so it will help conversion rate if you send the same code twice or accept both Send instructions in the local language to avoid confusion By adding a dash (for example 333-666) it makes it easier for the user to remember when they are entering it in Tell the customer they are about to receive a text or call Reduce potential confusion and put them at the ready to receive the passcode About The Spur Group About Nexmo The Spur Group delivers business results that matter. We provide the thought partnership, business insight or extra bandwidth you need to be more successful. Make better decisions, realize your objectives, tell your story, leverage your channel and strengthen your staff with The Spur Group. We can help you make your next project more successful. Our expertise includes developing partner programs for Microsoft and Dell, managing messaging and partner conferences for Cisco and Juniper Networks, and providing recruitment insight and strategies. Nexmo provides innovative communication APIs that bridge traditional voice services with cloud communications. Nexmo enables applications and enterprises to make phone calls or send and receive text messages with ease to improve user experiences, no matter where in the world customers are located. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information