Banks and other financial services companies know that they are particularly vulnerable to cyberattacks launched against their business and their customers.

Multi-factor authentication (MFA) or Strong Customer Authentication (SCA) solutions are a particularly effective defense, but some are better than others. This is particularly true with mobile authentication solutions.

Many consumers expect the same convenient experience they enjoy with their other mobile applications. However, no matter how convenient they are, these solutions must also be properly secured.

Mobile authentication solutions are rife with offerings that have significant security flaws

These flaws include solutions that use secure codes, also known as one-time passwords (OTPs), that are sent by SMS to customers’ mobile phones.

Widely used for many years, this method is extremely vulnerable to cybersecurity threats. Organizations must know their risks so they can protect themselves and their customers. They also need to understand how to make mobile authentication and transaction signing secure and how to use today’s controls and protocols to deploy secure, seamless, and scalable solutions.

Knowing What’s at Stake

There are a variety of attack vectors, including illicit text messaging services that hackers use to reroute people’s texts so they can gain access to their accounts.

For example, ReadWrite reported in May 2021 how FluBot malware, once installed, was collecting all passwords and sending them back to the company from which they originated. Even more virulent — the bot was also collecting all contacts and sending messages from the victim’s account, infecting even more people.

During another major attack a year earlier, attackers built a network of 16,000 virtual mobile devices, then intercepted SMS one-time-passwords (OTP).

According to coverage in Ars Technica, IBM Trusteer researchers uncovered the massive fraud operation that used a network of mobile device emulators to drain millions of dollars from mobile banking apps in a few days.

Growing reliance on digital transaction channels

With the growing reliance on digital transaction channels, the volume of cyberattacks has increased significantly.

As ReadWrite contributor Peter Daisyme pointed out in his 5 Ways to Improve and Optimize Your Company’s Data Security Program, the April 2022 Block-Cash App breach may have exposed more than eight million customers’ data.

And at the beginning of 2022, Crypto.com admitted that nearly 500 users had $30+ million stolen collectively after a severe breach.

The use of compromised user credentials continues to be the primary way that hackers launch their attacks

In Spring 2021, hackers exploited a multi-factor authentication flaw to steal cryptocurrency from about 6,000 Coinbase accounts. The flaw enabled them to enter an OTP via SMS and access and retrieve user account information.

Mobile authentication security provides a solution to these challenges, enabling users to take advantage of various mobile device capabilities to verify their identities before accessing an application or performing a transaction.

How Mobile Authentication Security Works

Transforming the ubiquitous smartphone into an easy-to-use, ubiquitous authenticator is ideal, but securing the mobile authentication process is no mean feat.

The industry has created baseline security standards for mobile authentication through the non-profit Open Web Application Security Project (OWASP) foundation. These standards are unlike those created for web applications, though.

Mobile apps present significantly more options for storing data and leveraging a device’s built-in security features for authenticating their users. As a result, even small design choices can have a larger-than-anticipated impact on a solution’s overall security.

One mobile authentication choice is SMS verification, or OTP sent via SMS, which has grown in adoption worldwide. This was the leading authentication method among the financial institutions HID Global surveyed in a 2021 study. The Ponemon Institute has estimated that, despite its significant security risks, SMS OTP is used by about one-third of mobile users.

An alternative is authentication solutions that combine push notifications with a secure out-of-band channel.

The out-of-band approach provides a stronger combination of security, flexibility, and improved usability. This secure, channel-based authentication approach applies cryptographic techniques to the task of linking a specific device to its owner’s identity.

It precludes the possibility of an attacker impersonating someone unless they have physical access to the device. In addition, it is a more secure approach than SMS authentication because there is no need for a service provider to send sensitive information to a customer’s device over a network that is not secure.

Push notifications also make the user experience much more straightforward than SMS systems.

All a user must do when a push notification appears on their phone is validate the request by making a binary choice to either “Approve” or “Decline” the transaction. This contrasts with referencing an OTP received via SMS and re-type it into the phone.

Users typically see a tiny portion of the authentication process, most of which happens in the background.

The entire mobile authentication lifecycle starts with both registering and recognizing the user’s device and then provisioning secure credentials to the user.

The solution must also protect user credentials and secure all communications between the user, the app, and the backend servers.

Finally, it must protect sensitive data requests while the organization’s app runs, maintain security throughout the customer lifecycle, and prevent brute force attacks. There are challenges at each of these steps.

Solving Seven Major Strong Customer Authentication Challenges 

Various factors make mobile authentication security challenging to implement, including selecting and integrating the most effective techniques into the organization’s broader security systems. There are seven basic categories of challenges across the mobile authentication lifecycle:

  1. Recognizing and Authenticating User Devices

An ideal way to authenticate a person’s digital identity is to recognize if and when they are using their device. Without this recognition, attackers can impersonate the user by transferring their data into a real or virtual clone of the actual mobile device.

To combat this, anti-cloning technology can be used to ensure that no one can gain access through this fraudulent device.

Anti-cloning techniques are most effective when they rely on the secure element (SE) shipped with nearly all modern smartphones.

In the case of iOS, this is the Secure Enclave dedicated secure subsystem integrated into Apple systems on chips (SoCs).

For Android devices, the Trusted Execution Environment or TEE runs alongside the android operating system. Leveraging the device’s secure element enables authentication solutions to take advantage of built-in hardware security protections to the maximum extent.

Additionally, the strongest authentication solutions stop would-be cloners from using multiple layers of cryptographic protection and secure individual keys with a unique device key. This unique key is generated during the initial provisioning process and, even if it is breached, ensures that an attacker cannot access any of the other keys or impersonate the device.

  1. Provisioning User Devices So They Are Secure and Safe from Cyberattacks

Managing users’ identities and issuing credentials to their mobile devices must be secure and safe from cyberattacks.

Some mobile authentication solutions activate user devices using public-key cryptography (based on a mathematically linked private/public key pair). Within this public/private pair, the private keys generated by the customer’s device are considered secret.

They never leave the device, so there is less chance a credential will be compromised. This works well for mobile authenticators because they can make direct exchanges with the authentication server during authentication requests, and no manual intervention, such as a push authentication response, is required from a user.

When an exchange of secret key material is required between a mobile authenticator and the authentication server, two extra steps must be taken.

This is the case with mobile authenticators that offer a manual alternative (like an OTP). These steps ensure a secure exchange of the secret key material between the client and server:

  1. The initial authentication of the user to establish a secure channel.
  2. The establishment of the secure channel itself to exchange shared secrets.

With the most secure solutions, the initial authentication is unique to each user, this authentication event is used only once, and it expires immediately after registration has been successfully completed.

Some solutions also enable organizations to customize specific security settings and rules. For instance, they can change the length of the initial authentication code and its alphanumeric composition or the number of retries permitted after a failed initial authentication, among other parameters.

Organizations should also consider the policies that govern their user and device provisioning processes.

Ideally, the authentication solution should enable an organization to determine whether it is permissible to issue credentials to old operating systems or jailbroken phones or mobile devices that do not have a secure element.

Solutions like these also often give organizations a choice of what type of encryption to use. They also simplify the process of configuring settings beyond what’s already been established by the vendor.

  1. Safeguarding User Credentials in a Dangerous Digital World

Strong policies are essential for protecting credentials from several different attacks and phishing schemes. However, this can be difficult, especially for password policies, which differ across organizations. Mobile authentication solutions can help in this area, accommodating these policy differences through the use of push notifications.

For example, a push notification can be triggered immediately after a successful password entry. Or, the user could be required first to take additional steps to authenticate their identities, such as entering their device PIN/password or a biometric marker.

  1. Protecting Sensitive Data by Ensuring Secure Communications

Sensitive data can be intercepted when it moves through insecure channels, so encryption is required for all communication between users, mobile authentication solutions, and backend servers.

Before exchanging any messages, certificate pinning must be used to ensure that the mobile authentication solution communicates with the correct server. This restricts which certificates are valid for that server and establishes explicit trust between the authentication solution and servers while reducing reliance on third-party organizations.

The use of the TLS protocol is critical for transport-level security. For example, with TLS 1.2, every message shared between the authentication solution and the server is protected, as well as any notification transmitted to the mobile device.

Information should also be encrypted within this secure tunnel to ensure message-level security. The best authentication solutions go a step further by not requiring any sensitive user data to be sent within the user’s push notifications. Instead, they ensure a private, secure channel between the app and the server.

This channel retrieves the request’s context, limiting the risk of exposure and compromise.

  1. Detecting and Blocking Real-Time Attacks

Zero-day vulnerabilities are growing, making it vital for all applications to apply various real-time techniques for detecting and halting attacks.

One way to do this is with Runtime Application Self Protection (RASP), which establishes the controls and techniques for detecting, blocking, and mitigating attacks while an application runs. RASP also helps prevent reverse engineering and unauthorized application code modification and requires no human intervention to perform these functions.

It is also vital that solutions employ a multi-layered defense.

This minimizes the probability that bypassing any single control will lead to a breach. These layers include:

  • Code obfuscation: This is more difficult for humans to understand decompiled source code unless they modify the program execution.
  • Tamper detection: By using technologies like ASLR, stack smashing, and property list checks (also known as .plist checks), organizations can be assured that the app or its environment has not been compromised and that any associated functionality has not been changed.
  • Jailbreak and emulator detection: This enables organizations to create and enforce policies related to the types of devices that are trustworthy — or not.
  1. Streamlining Authentication Lifecycle Management

To decrease the risk that cryptographic keys and certificates might be compromised, they are given finite lifecycles when issued to devices.

The shorter this lifecycle is, the more secure the key will be. Along with these shorter critical lifecycles, though, comes the requirement to follow disciplined key management and renewal procedures strictly.

However, the solution for accomplishing this shouldn’t force users to constantly re-register for the service.

The answer? The latest authentication solutions simplify the process of configuring the length of a key’s lifetime. They also employ mechanisms for allowing the server to renew a device’s keys before they expire automatically. Eliminating the need for explicit user intervention will enable organizations to comply with security best practices without disrupting their customers’ service.

  1. Preventing Brute Force Attacks Aimed at Acquiring Login Information and Encryption Keys

Brute force attacks use trial and error to achieve their objectives. Unfortunately, these attacks are simple and effective enough to grow in popularity. To combat them, mobile authentication solutions use many different techniques.

Among the most effective is to enable organizations to customize settings according to their unique needs and policies. Examples include:

  • Delay locks: organizations can customize an escalating series of delays before allowing a user to re-enter a PIN or password after a failed attempt.
  • Counter locks: This setting is used to render invalid passwords after several unsuccessful attempts.
  • Silent locks: Organizations can choose to lock a user out of the system, without any feedback, when they enter the wrong PIN or password.

Third-Party Audits and Certifications is a Key Indicators to Help Make the Right Decision

No security strategy is complete without third-party audits and certification of compliance. These help ensure that an authentication solution is secure and can protect the organization in today’s fast-changing landscape with rapidly evolving threats.

Internal reviews should be used to verify the solution against a set of security controls based on the industry standards like the OWASP Mobile Security Project.

External penetration audits and certifications — like the Certification de Sécurité de Premier Niveau (CSPN), awarded by the French National Agency for the Security of Information Systems (ANSSI) — can certify the solution’s robustness based on a conformity analysis and rigorous intrusion tests.

Securing the consumer mobile authentication journey across its complete lifecycle, from device registration through credential management and all recommended security audits and certifications, is not a simple proposition.

It requires organizations to carefully consider their risks, learn how to implement and leverage device-level security features that make mobile authentication and transaction signing secure, and apply the proper controls and protocols.

They can only deploy solutions that protect them and their consumers within today’s ever-expanding threat landscape.

Featured Image Credit: Provided by the Author; Thank you!

Adrian Castillo

Adrian Castillo is a Pre-Sales Engineer at HID Global and brings over 21 years of experience in public key infrastructure, identity management and authentication protocols for enterprise and cloud. He has been involved with infrastructure and application integration ranging from native to Web to mobile. Over the years he has had roles in professional services, product management and engineering where he managed various innovation projects to bring additional value to our customers. Adrian is part of the HID team working with the FIDO Alliance to improve security online by reducing the world’s reliance on passwords.