Last week, SC Magazine shined a spotlight on new security mandates put in place by The Social Security Administration to protect consumers, but are they enough to stop the bad guys from hijacking benefits?
As part of an executive order for federal agencies to beef up their authentication measures, account holders are now required to provide a cell phone number, in addition to their username and password, for a second factor of authentication via SMS.
As noted security guru, Brian Krebs, called out in the article, adding an SMS authentication layer still doesn’t offer any proof that the person creating an account is the same person the Social Security Number used to open the account belongs to.
Even more telling is the fact that, as reported by SC Magazine in late July, the National Institute for Standards and Technology (NIST) is recommending that two-factor SMS authentication be phased out altogether, largely because it is – contrary to the belief of numerous businesses – often ineffective in preventing sophisticated fraudsters from committing crime.
To be fair, it’s important to note that adding a second factor of authentication – either via SMS or other method – is an improvement over simple single-factor methods, such as using a traditional username and password at login.
Today, however, adopting a layered authentication approach that applies different forms of authentication at multiple points along a customer’s online journey is a critical step for businesses looking to increase security without having a negative impact on the customer experience.
Why Device Intelligence Matters
At iovation, we look at the device that’s being use to gain access to a web site or online account as a foundational element of authentication that can play an important role at a variety of authentication points along the customer journey.
Here's an example of a typical customer journey in financial services:
Device-based authentication isn’t merely at matter of “I know and recognize this device.” Rather, it brings with it all the context that’s related to that device to answer some critical questions:
- How is it communicating?
- What do we know about the context of that device and its session?
- What risks are coming along for the ride with this device’s session, such as anonymizers, VPNs and proxies, emulators, rooted and jailbroken devices, and tampered devices?
With all of this rich context, device-based authentication can also provide the intelligence you need to make subsequent authentication decisions, such as when to allow, review or deny a login attempt, when step-up authentication should be utilized, or when to trigger others layers of authentication, such as one-time passwords, KBA (knowledge based authentication) or behavioral analysis.
With solid device intelligence and insight as a foundation, anyone can create this sort of dynamic, interactive user experience. You’ll get authentication that’s both risk-aware and user-friendly at the same time.
SMS will be around for a long time and continues to provide value. But the bad guys are only getting smarter, and now is the time for the marketplace to start thinking about future-proofing authentication strategies with a layered approach.