I don’t think username/password can last much longer as the primary means of authentication on the web. Rampant phishing has made it all to common for unsuspecting “normals” (and even those who are more tech savvy) to inadvertently open themselves up to malicious purchases, or massive promulgation of spam emails and social network comments from their account. It’s only going to get worse as phishers get more and more sophisticated.
One way to slash the number of successful phishing attempts would be for B2C sites to start adding mobile-based authentication as part of their login process on top of the usual username/password combo.
Yes, this would negatively affect the user experience, as the user would need to provide more info than username and password at login, but it would reduce the attack surface of a typical internet user dramatically.
With this type of authentication scheme, when you login with your username/password pair, your phone is called if the username/password combo is accurate. At that point, your cell phone will ring, and you’ll need to pick up and press a button to show that you are indeed the person who just entered that username/password info. This is a powerful concept because if the phisher doesn’t have your phone, and he/she can’t do any damage.
For added security, a site could also use the phone authentication to protect certain critical operations post-login (e.g. a mass delete, a message to a large number of contacts, a purchase above a certain pre-set threshold).
No consumer site has tried to “sell” me this kind of two-factor authentication lately as part of their user experience. However, if that site is buying or selling anything on my behalf, I’m open to a slightly more clunky user experience in order to add another layer of protection.
There are companies who provide two-factor authentication as a service, but clearly it is not terribly popular in the consumer web or B2C world (or, maybe just with the sites I use — as I never bump into it).
Is the user experience so poor that it’s not worth implementing these solutions? Basic two-factor auth is not that hard to build, so I can’t imagine that it would be a technology issue (or a cost issue if working with a 3rd party web service that provided this functionality). Or do the consumer sites themselves and their customers not really see this (phishing) as an existential threat?
Seems intuitively that mobile and / or multi-factor (e.g. phone + username/password + something else) authentication is a big area of opportunity given the current trends in phishing and security, but maybe I am missing something.
What am I missing? :)
4 comments
All well-stated and, we believe, representative of the current situation. Without some form of two-factor authentication (“2FA”) the likelihood of account violation will increase through time. We do think, however, that there is a more secure form of 2FA using mobile devices through SMS.
2FA via SMS isn’t a new idea, but the implementation of it in reverse is. There is a fundamental flaw in the currently available forms of 2FA via SMS which also applies to the method the author suggests here (receiving a phone call to authenticate identity). That is, simply, that inbound calls and messages can be intercepted through a cloned or spoofed phone.
That cannot happen, however, in the reverse, when an SMS is sent FROM the device. Every wireless device in the world has a unique device identifier (referred to in the mobile industry as a “UDID”) and this identifier is sent as part of the message when an SMS is sent. Without the UDID matching the cell phone number – which can ONLY happen if the device is legally registered to that number by the carrier – the message simply will not go through. And if it doesn’t, authentication will not occur.
In short, 2FA will become increasingly essential. The use of a mobile-generated SMS as that 2FA methodology is highly secure, simple for any consumer web site to implement and less expensive than every other available 2FA solution on the market.
Scott Goldman
CEO – TextPower, Inc.
Scott, thanks for reading and commenting. I was not aware that SMS 2FA was being done in the way you describe.
hi John
yes – i agree with Scott that the mobile (smartphone) will become THE device for 2FA in the future. Why? Because you don’t go anywhere without it and because it is easy to use. Also passwords are now redundant – they are hard to remember and they are easy to hack.
Our take on the application of the security is a variation on the theme proposed by Scott. The process of authentication using Live Ensure happens as follows:
The user logs onto the site or app using an SSO/OpenID or user name ( note we don’t require the user to enter a password ). This initiates the delivery of a QR code to the users browser.
The user then opens the app on his device – then merely points their device ( iOS/Android/Windows) at the screen to which we have delivered a QR code and he scans the code. This communicates back to the site that the user is legit and they are authenticated. The session can proceed securely.
From the users perspective they don’t have to do anything more than they did before apart from open the app on their phone and scan the code. It is simple and strong. The key difference with Scotts solution is that we don’t use the SMS channel ( for a variety of reasons). If you are interested to find out more why not go to the site and try the demo. (http://www.liveensure.com)
Thank you
Ross Macdonald CEO Live Ensure
Ross, thanks for sharing. I’m finding there are a variety of solutions to address this problem. I’m curious what you think of the UX implications of a 2FA solution. It seems so simple yet there are few sites that actually implement it. When will we hit the inflection point when users will demand 2FA from the key websites with which they interact?