Technology is advancing at a rapid pace. This not only favors the development of new products that facilitate users’ lives, but also becomes a new attack vector for attackers, who see fresh opportunities to obtain economic gain.
This is why companies invest part of their profits in the application of security measures to reduce attacks and provide their customers with greater security.
Among the security measures implemented by different companies in recent years, we find the two-step user authentication techniques when accessing online services or authorizing other actions within them.
Two-step authentication provides the user with an additional step, to demonstrate that he or she is indeed the customer attempting to perform a certain action, and not an attacker. In addition to providing their password, with this system the user must go through a second authentication step to eliminate fraud possibilities.
In addition, today there are numerous directives worldwide that aim to regulate this type of authentication, especially in the financial and online commerce sector. These directives include PSD2, the European directive that regulates the payment services provided for any online service that includes payment activities within Europe. This directive puts special emphasis on security, requesting the strengthening of and compliance with certain security features for payment authentication, known as “Strong Customer Authentication”. This authentication also consists of a two-step authentication that we discussed in one of our past posts.
Until implementation of PSD2 is completed throughout the financial and electronic commerce sector, as its application has been delayed to December 31, 2020, in this post we review the most common 2-step authentication methods used not only at the European level but globally.
This is the most commonly used two-step authentication method. Virtually all the services that apply a two-step verification mechanism use SMS authentication. This system consists of sending a single-use alphanumeric code via a text message, which the user must enter into the system during the login.
Although it is the most commonly used mechanism, it is not the safest, or the simplest. And considering the rise of malware for mobile devices, it is among the worst in terms of security. On an infected device, the malicious application will have access to any SMS received and can forward it to the attacker's control server.
In terms of usability, the process of entering the code can be really tedious for users if they are looking at the message at the same time, especially if they do the entire process from their own mobile phone.
This technique also incurs a cost for the entities that decide to use it, since sending text messages in order to implement the system involves a cost.
Authentication using OATH TOTP applications
This technology makes use of third-party applications to authenticate the user. The technology is known as OATH TOTP, and it functions in a way very similar to the technique of sending codes by SMS. However, in this case the user will use an application such as Google Authenticator, LastPass Authenticator, or Latch to generate a temporary authentication code.
OTP authentication systems can use different methods to generate the final password that will be provided to the user. Examples are: event-based authentication, time-based authentication or a challenge-response authentication method.
The main advantages we can highlight are the low cost that their use entails for companies, in addition to the fact that the level of security they offer us is very robust and reliable. Plus, they pose no problems for the user as there is no need to install new applications.
Authentication based on biometric factors
This is a favorite among users, as it is one of the most comfortable in terms of usability as well as being one of the safest. There are different types of biometric authentication. Facial and fingerprint recognition are the most commonly used, although we can also find solutions that use the iris or physiognomy.
Its popularity has been increasing in recent years, and is expected to increase even more over coming ones. This is due to the ease with which the user can access this type of technology and how easy it is to use. In the case of fingerprint recognition all the user has to do is place his or her finger on their mobile's reader.
On the other hand, we can find problems in the implementation of these mechanisms. If the system implementation is not robust enough, an attacker could use simple tricks to authorize the authentication. For example, they could use a photo of the victim in the case of a facial recognition system.
In addition to the use of physical biometric factors to authenticate the user during login, there is also the possibility of providing security through a behavioral biometrics analysis able to identify a user silently (without impacting their user experience), analyzing the way they type, move the mouse, hold their mobile phone, their movements within an application or website, pressure, latency, response speed and many others. This analysis makes it possible to detect if it is really the legitimate user or if, on the contrary, it is an attacker who has managed to fraudulently access the user's account.
Other methods being phased out
In addition to the authentication factors introduced above, we find others that are gradually being replaced by new mechanisms. These include coordinate cards, phone calls, hardware tokens in calculator or USB mode, etc.
Looking forward: continuous biometric analysis
However, these methods begin to coexist with new techniques such as the analysis of biometric behavior, which is even less intrusive in the user experience and also provides an element of continuous authentication. This means the user’s identity is not only verified when they use their fingerprint or face for authentication (static authentication), but throughout the user's session when using any online service, which provides a higher level of protection.
At buguroo we are committed to this type of technology and we develop solutions that make it possible to detect if a user is being impersonated or manipulated during an entire online session.