We have reached “max MFA” – what is the alternative?

Multi-factor authentication (MFA) has been in use for around 20 years and evolved as a logical solution in reducing the threat of cyberattacks and online fraud. But as technology has evolved, so has the sophistication of cybercriminals, resulting in existing MFA solutions no longer being effective. 

The current security paradigm involves layering increasing levels of security complexity onto users, but consumers and employees have had enough of navigating through endless requirements in order to try and improve online security. Shouldn’t security be something that “just works”?

We now live in a mobile-first world

As predicted, more people now have access to a smartphone than running water. Most MFA solutions were created for a desktop world with low fraud, but we now live in a mobile-first world where fraud has been industrialized. 

Cybercrime is soaring (now powered by AI), and users have had enough of the increasing hassle and complexity – they have effectively reached ‘maximum MFA’ and businesses can no longer afford the costs and resource demands of this inefficient model.

For mobile-first markets, and for businesses that already rely heavily on mobile (for customer apps or remote employees), a new security paradigm is needed. One that is mobile native and takes the user out of the security equation.

The many forms of MFA requirements placed on users

Over the years consumers and employees across industries from banking, e-commerce to healthcare have been subjected to MFA in many forms, and serve as a stark reminder of how security complexity has been burdened onto users, creating friction and a fragmented user experience.

• Security questions: questions and answers typically chosen by the user, which can be highly unique but are knowledge factors prone to being forgotten and are susceptible to phishing attacks.

• SMS One-Time Password (OTP): the most prevalent form used today, but uses a messaging protocol that was never designed for security – and is open to SIM Swap Fraud (Man in the Middle Attacks), phishing, as well as high operating costs and a poor user experience.

• Time-Based One-Time Password (TOTP): typically forces users to download additional software such as an authenticator app, creating a fragmented user experience, and is not impervious to phishing or malware.

• Hardware security keys: physical hardware devices like USB key fobs are not susceptible to online attacks but can be lost, stolen and involve a clunky user experience.

Barclays PIN Sentry (card reader) & instructions for accessing a bank account using a grid card

• Card readers: heavily deployed by banks in the 2010s, these gadgets are another hallmark of the desktop era. Thankfully these devices can now mostly be found at the bottom of a desk drawer.

• Grid cards: challenging customers for a code was indeed a test of patience… another clunky method that while cost effective for a bank, created a new low in terms of user experience.

• Biometric authentication: Although now subject to the latest threats from AI deepfakes and other adversarial AI techniques, biometric authentication alongside a possession-based factor (e.g. a mobile phone) provides a strong security layer.

In a world where the mobile is increasingly becoming the primary computing device, to keep your users happy, verifying their identity online needs to become seamless, as well as secure. 

Introducing Mobile Identity

The alternative lies in adding a Mobile Identity layer – hardware-based possession factor security that is totally invisible to the user.

Mobile Identity uses the mobile number as the ID credential, which is authenticated using the cryptographically secure hardware possession factor that is deployed in every mobile phone – the SIM card. It is easy for the user and there is no hardware required.

Mobile Identity creates a secure, phishing-resistant binding between the user identity credential and the mobile device, with no need for PIN codes sent by email or SMS. The mobile ID credential is authenticated using built-in mobile possession factor security. This technology is core to the way mobile networks operate, uses advanced cryptography that is already deployed to over 5 billion mobile handsets, and is completely invisible to the user.

For more information, schedule a demo with our team and learn how we can help you move to a mobile identity based solution.