Authentication devices: are two better than one?

Simon Rodway|07 February 2018
Authentication devices: are two better than one?

At the end of 2017, two researchers at the University of Erlangen-Nuremberg in Germany discovered a weakness in the software that is used to protect 31 of the country’s mobile banking apps. As a result of this weakness, the researchers were able to successfully authenticate a transfer of money out of a banking account without the account holder’s permission. The researchers are now arguing strongly against the use of a single device in authentication. Their message is that if a device is compromised, everything undertaken on that device is also compromised.

Two’s a crowd

Their suggested solution to this problem is not a new one: use more than one device for authentication. This may be a solid security strategy, but requiring your mobile banking users to start carrying around a separate authentication device will not exactly delight them. The mobile banking market is a competitive one, and convenience and user-friendliness are among the top priorities for customers. Security solutions that introduce complexity and friction, such as hardware tokens, often frustrate more than they protect, causing a reduction in fraud but also a reduction in revenue (due to abandoned transactions). Is there a possibility of using a single device for authentication without compromising on security? 

What makes the use of a single device for authentication so risky is the fact that the first authentication factor (often a password) and the second authentication factor (say, a one-time password) are entered via the same channel. If a fraudster gains access to this channel, therefore, they gain access to both of these pieces of information, effectively putting them in the same chair as the banking user. When the fraudster then modifies this information while still making the user and the bank think they are talking to each other, it’s called a man-in-the-middle (MITM) attack. This is essentially what the researchers from Erlangen-Nuremberg managed to do.

A package deal

It’s true, using a separate authentication device does guard against these attacks. But so does employing a separate, out-of-band channel on the original device, and securing that channel through additional measures such as certificate pinning. What is more, the mobile device offers a level of convenience that no hardware token ever could. In the right implementation, a phone-as-a-token authentication system represents the way of the future: security that protects the customer and makes their life easier at the same time.

Cybercriminals are looking to the mobile device with increasing intensity, but this should not rule out the option to interact with the bank from a single device. After all, customers are also attached to their mobile devices with increasing intensity – making the mobile channel the perfect platform for combining security and convenience.

About the author

Simon Rodway

Simon Rodway

Pre-sales solution consultant, UK

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.