We all know that Two-factor authentication (2FA) brings an extra layer of security that passwords alone can’t provide. Before we rule in favor or against SMS being a safe and effective tool we must evaluate the various options and how good or bad they are. So, let’s dive deeper and look into the various options we have apart from SMS:
- Security Token (Static / Clock based token)
- IP based authentication
- Mobile application generating token codes
- Mobile Identity Solutions
Recently in India, we have observed some interesting use cases of 2-Factor Authentication (2FA). A bank in India, in fact the largest public sector bank has made 2FA mandatory for any high value transaction at an ATM (we can term such an instance as a Physical 2FA because this transaction is not initiated over a user’s handset / device).
Now, if we leave out the top seven to eight developed nations, we will understand that the smartphone penetration in most of the countries is around or below 40%. For all such transactions, SMS will stay as the best option for 2- Factor Authentication. I am not making a coercive point here and not suggesting that SMS is the best tool for enabling 2FA. However, quoting a recently conducted research that says SMS was able to block 96% of the Phishing attacks so far. Clearly not the best option, but when you are deploying 2FA for scale, you have limited choices and SMS being one of them.
If we take a quick look at other 2FA enabling options, the first one being a Security Token. We can use a Security Token (hardware) which comes with pre-fed 10 – 15 token codes which doesn’t offer robust security either. The other option is a Clock-based Security Token which comes with an inherent shortcoming of periodic sync up with the host servers. Often than not this sync up falters and this option goes for a toss.
IP-based Authentication is another option. However, it comes with the rigidity of not allowing an application or email services to be used through multiple devices. Thus, it is a big NO- NO, especially for email users who switch between devices to access their Email account.
Token-generating Mobile Application is a tool, synonymous to Google Authenticator, that has proven to be very effective in blocking phishing. However, enough initiatives have not been implemented to educate users about the various apps that people can use for 2FA and their advantages over it’s conventional peers. Here too, there is a serious apprehension among people for downloading a new app and the challenges that come with toggling between two screens to complete a transaction. These are a couple of reasons for people not embracing an application for 2FA. Some people who have readily adopted Google Authenticator, have complained about its time sync function.
Now, let us shift our focus a little and talk about the multifaceted Mobile Identity Solutions. At Route Mobile we have developed our own programmable mobile identity solution known as MIDaaS. Along with authentication and authorization, this solution can bring in other security benefits for businesses. Mobile Identity can verify up to 11 parameters confirming the identity of a user while he or she is trying to access an application or any other service. It can authenticate a transaction by using some very basic information like Name, Mobile Number, Address and date of birth etc.,
We all know that be it any social app or a banking application or email account, most of these have the basic user information pre-loaded. With just a click of a button the telecom operator can verify the identity of the user, thus, protecting the account against possible threats. Mobile Identity as the name suggests can be used for a mobile 2-Factor Authorization only.
Before I conclude, let us understand that apart from SMS & Mobile Identity most of the other options depend on the know-how of the users and their inclination towards that tool or application. Therefore, from a Telco or a CPaaS player’s perspective I see Mobile Identity to be a perfect fit for 2FA and if 2FA is to be deployed for scale, I see Mobile Identity & SMS as a good mix.