In this blog post, Jaap Francke – Product Manager at iWelcome – shares his vision on how consumers can be made to log-in highly secure without losing user-friendliness with millennials driving the need for speed and convenience.
Once leaving their house, many people still apply the “rule of three” in an attempt not to forget their keys, money and mobile phone. Common understanding is that mobile technology will soon make the first two obsolete, making us even more dependent on our mobile phones. And as a result, mobile authentication and authorisation will become even more important in the process.
Multi-factor authentication (MFA) is the best practice to make authentication more secure than only the traditional username and password log-in. In essence, MFA is a method of confirming a user’s claimed identity only after successfully presenting two or more pieces of evidence (or: factors) for authentication.
These pieces of evidence can be:
- What a user knows (i.e. knowledge factors as password and PIN);
- What a user possesses (e.g. mobile phone);
- What the user is (i.e. inherent biometric factors as fingerprint and facial recognition).
A user’s location can be seen as fourth category for authentication.
Today’s practice of Multi-Factor Authentication for Consumer IAM
Let’s explore the practice of Multi-Factor Authentication (MFA) that is used for Consumer Identity and Access Management.
Although we’ve all heard about stolen or hacked passwords, there is no denying that passwords are still the dominant factor used for authentication. Sometimes password-less authentication is achieved by sending a link to someone’s e-mail box. Access to e-mail box still requires a password, so this technique only reduces the number of password a user needs to remember. In a way it’s similar to a social log-in, where a dedicated password is effectively replaced by a password at the social provider. This form of Single Sign-On (SSO) reduces the amount of passwords a user needs to somehow remember, but it doesn’t take away the need for a password.
Sending a One-Time-Password (OTP) to the user’s mobile phone is another way to eliminate the need for a password. From a MFA perspective, the knowledge-factor is replaced by a possession factor: the user’s mobile phone (or SIM-card to be more precisely). The most commonly used approach for MFA is the combination of password and OTP-over-SMS. Critics have argued that text messaging shouldn't be considered a secure channel and even the NIST has considered dropping the use of SMS as a channel for out-of-band verification.
Another common possession factor (particularly for the payment industry) is the use of a bank card. In combination with a PIN-code as knowledge-factor it is probably the most widely used MFA-method worldwide. Unfortunately, magstripe cards can be skimmed but the introduction of EMV chip cards has reduced this risk significantly. Fallback to non-chip transaction on legacy equipment has proven to remain a weak spot.
Inherence factors (i.e. what the user is) have long seen low adoption rates in the consumer space, predominantly as it conflicted with perceived user friendliness and consumers’ feeling of privacy. The introduction of the iPhone 5S – roughly 5 years ago – boosted the adoption of fingerprint scanners on a smartphone whereas today face recognition is getting common. This type of biometric data is not stored centrally but privately and securely on the user’s device and I believe this is a key success factor for this biometric technology.
Today’s MFA practices bring hassle to consumers, who are always looking for convenience. Secure log-in may require the bank card or other token which they may not have readily available in their pockets. When SMS is used as a second factor, the consumer may have to step-out of the log-in-process, look-up the code that was sent per SMS and type that in the log-in screen.
The future of Multi-Factor Authentication (MFA)
The aforementioned “rule of three” is already losing ground. We no longer carry wallets, since sticking some money or a bank card with your mobile phone allows us to pay for our stuff. Usage of NFC-technology in our smartphones is replacing the need to use a bank card or public transportation card and to initiate payments using payment apps. General expectation is that Apple will follow Android in opening the access to the NFC-chips in its iPhones when iOS12 is released this month.
Further adoption of NFC technology will lead to mobile apps that allow us to open doors and serve as car key. The percentage of millennials that own a smartphone is already close to 100% and they all seem pretty much hooked to them. And let’s admit it, they’re not the only ones. From a convenience perspective, the mobile phone could well become the sole possession factor out there.
With all these online services the need for secure authentication will rise as well. And the one thing we are so addicted to allows us to do exactly that. With today’s technology we can already implement three-factor authentication by solely using our smartphone:
- You reach out to your mobile phone (possession factor);
- You unlock your phone with your fingerprint or face recognition (inherent biometric factor) and you open an application;
- The application requires the person to log in by entering a password or PIN-code.
On your laptop or desktop the process is similar:
- If your device didn’t remember your username, you may have to enter it on a log-in-screen;
- The consumer receives a push message for authentication to an associated app on his or her mobile phone (possession factor). Potentially, the consumer can then be requested to swipe their screen as a means of secure authentication;
- You unlock your phone with your fingerprint or face recognition (inherent biometric factor);
- Before you can approve the authentication request in the push message, the mobile app may ask you to enter an additional password or PIN-code (knowledge factor).
A next step in MFA will make use of wearables. More and more people are wearing a smart watch or activity tracker, so using these as possession factor seems even more logical and user-friendly.
All these MFA scenarios bring different sorts of questions, for example about the security of the smartphone and how it’s paired with the user’s account. Also fallback scenarios need to be made available for situations where the user has lost his or her phone. Battery power can be considered an issue, but our smartphone addiction will make sure we’ll keep our smartphones charged anyway. I believe these potential problems will all be solved. In most scenarios, the knowledge factor can be removed to increase user convenience while maintaining a good level of security based on two-factor authentication. If combined with Single Sign-On (SSO), this would be my best guess going forward.
Product Owner / Manager at iWelcome
Jaap is an experienced product owner and/or manager specialised in bridging the gap between business and IT. Within iWelcome, Jaap is responsible for product management.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.