Multi-Factor Authentication Done Right
Following on from our major autumn event, Digital Trust World 2022, held in London on Monday 21 November, we would like to share the thoughts of our Authentication & Privacy sponsor, Anonybit, as they walk us through how to get Multi-Factor Authentication right. The article was written by Frances Zelazny, Co-founder and CEO of Anonybit. This article is taken from the Digital Trust World 2022 brochure which can be viewed here.
Multi-Factor Authentication (MFA) is the latest buzzword for protecting users and assets. But the fact is, there are a lot of misconceptions about what actually constitutes an effective MFA strategy. Case in point: A recent study of 500 financial organizations worldwide found that there is broad confidence in their security departments’ approach to authentication, with 90% saying that their approach is mostly or completely secure. Yet, 80% of them were breached in the last 12 months due to weak authentication.
To understand where most common MFA methods fall short, let’s review the common attack vectors to bypass them:
Passwords, PINs, and Knowledge-Based Questions: These knowledge-based authentication factors are not even considered multi-factor authentication. The means to gain access to them are numerous, ranging from phishing web sites, or buying troves of compromised credentials to impersonate victims.
SMS Messages and One-Time Passcodes (OTPs): SMS can be spoofed in multiple ways, for example via SIM swaps, which occur when a victim’s phone number is ported to another SIM card that the attacker has in his phone. More commonly, the codes are phished or social-engineered – just like a password.
Device Identification: Device Identification (Device ID) is a passive authentication method that binds users to specific devices and relies on device attributes to associate ownership. This problem with this approach is that device identification does not equate to identification of an account owner trying to gain access to a service.
Device Biometrics: With device biometrics, a selfie or fingerprint is used to release a cryptographic key that authenticates the user into an app or service based on FIDO protocols. However, like device identification, device biometrics does not bind the account owner to the account itself. In addition, the fallback of device biometrics in most cases is a password or PIN code.
Getting MFA Right
Establishing correct implementation of MFA requires taking a broader look at how trust in a users’ identity is established and maintained. Today, organizations employ a stack of solutions to orchestrate a users’ journey beginning with digital onboarding, which generally involves verification of a holder’s identification credentials and selfie comparison. Once the identity has been verified, a user will typically be invited to create a username and password to access and utilize an online service.
This is the root of MFA failure. Getting MFA right requires biometrics to be collected at onboarding and leveraging the biometric as the anchor of trust for further authentications. The trick is to do this without creating privacy and data management burdens for the enterprise.
With new technological breakthroughs and well thought out system design, these challenges are being overcome. For example, Anonybit’s MFA solution leverages multi-party computing and zero knowledge proofs to preserve biometrics privacy while connecting the different elements of the identity journey in a seamless manner. Selfies captured during the onboarding process are ingested into the Anonybit system, sharded for storage and kept in a decentralized manner for downstream authentication. Used at login, to verify transactions, enable self-service account recovery and other step up authentication actions, the platform’s APIs seamlessly communicate with different orchestration platforms. Device, phone number, and other factors are linked to the user’s biometrics for secure MFA and compliance.
Click here to learn more about Anonybit’s biometric MFA solution.