There is no doubt that digital devices and technology have made life significantly easier in a number of ways but it has also created a number of complications. Instead of having to go stand in line at a bank to deposit checks, you can now simply snap a picture and deposit it with your phone. Unfortunately, however, having to deposit a check in person at a bank offered a level of security that digital devices have taken some time to catch up with. At a bank, a live teller can visually inspect credentials to ensure an account is being accessed by an authorized user. Online, no such protection exists.
In the early days of the internet, accounts were secured by a simple user ID and password. A number of high profile data dumps and the rise of phishing schemes, however, rendered simple login ID's and passwords relatively useless as a means of authenticating a user. This gave rise to two-factor authentication, which involves using two out of three types of authentication methods.
Possession (something you have): This can include an object like a credit or debit card, magnetic key card or a device or an account that you control, such as a cellular or email account.
Knowledge (something you know): This can include your login credentials, a PIN number or personal information such as the last 4 digits of your social security number, your home address or the answers to pre-arranged security questions, such as the name of your first boyfriend or the street you grew up on.
Inherence (something you are): This generally entails some type of biometric scanning, such as a fingerprint scan or facial recognition software.
More recently, multi-factor authentication also includes location (somewhere you are), by using geolocation technology and registering the IP address the user is logging in from.
One of the earliest forms of two-factor authentication was used at ATMs, where a user would have to swipe or insert a debit card (something they have) and then enter a PIN (something they know). Today, what we think of as two-factor authentication is actually multi-factor authentication, which a user may not even be aware of.
For instance, if a user uses their smartphone to access an account, all they may recognize is that they hold their smartphone up to their face or place their thumb on their home button, which contains a fingerprint scanner. What is actually happening, however, is that the biometric authentication scan on the device that they have (inherency, possession) is auto-filling their login credentials and password (knowledge) and the IP address of the device they are using is automatically being compared by the system to previously used IP addresses (location).
As secure as multi-factor authentication is, however, there is a reason many online businesses are still not using it. Multi-factor authentication requires a digital infrastructure many small businesses don't have and cannot afford. In order to offer multi-factor authentication, small businesses generally have to contract out to a third party at a cost, which means many simply don't offer it.
A failure to secure online accounts, however, doesn't just jeopardize a user's account with that one business but with all other businesses as well. Therefore, securing all accounts with two-factor authentication is in everyone's best interest.
OATH (Open Authentication) is an open-source program that allows businesses large and small to secure accounts using two-factor authentication. Unlike traditional two-factor authentication, however, which uses knowledge, possession and inherence to authenticate a user, OATH standards utilize:
- One-Time Password (OTP) authentication
- Public Key Infrastructure (PKI) authentication
- Subscriber Identity Module (SIM) authentication
Unlike a stored password which can be compromised, a one-time use password can be sent to a user's registered cell phone or email account. Not only does this help authenticate them, but it also automatically alerts them if an unauthorized user tries to access their account. Public Key Infrastructure is essentially the equivalent of a crowd-sourced security system.
Unlike IP addresses, which can be spoofed, SIM-based authentication verifies a specific device rather than just the IP address it uses. For example, if you were to piggyback on someone's WiFi, your IP address would register as theirs. A SIM card is device-specific, however, so even if you were on their WiFi, your SIM number would be different.
While OATH authentication is still two-factor authentication, it essentially eliminates the knowledge factor (something you know) and instead institutes two different factors of possession (something you have). Public key infrastructure verification also takes one means of authentication out of the hands of the user themselves and places it in the hands of a neutral third party.
It is a sad, unfortunate fact that users have long rendered most security protocols nearly useless by sharing their login credentials, using the same credentials across multiple sites or failing to secure their devices with a passcode. Among other things, OATH protocols take security measures largely out of the hands of users and place them in safer hands.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.