Snippet: The researchers are now arguing strongly against the use of a single device in authentication. Their message is that if a device is compromised, everything undertaken on that device is also compromised.

At the end of 2017, two researchers at the University of Erlangen-Nuremberg in Germany discovered a weakness in the software that is used to protect 31 of the country’s mobile banking apps. As a result of this weakness, the researchers were able to successfully authenticate a transfer of money out of a banking account without the account holder’s permission. The researchers are now arguing strongly against the use of a single device in authentication. Their message is that if a device is compromised, everything undertaken on that device is also compromised.

Two’s a crowd

Their suggested solution to this problem is not a new one: use more than one device for authentication. This may be a solid security strategy, but requiring your mobile banking users to start carrying around a separate authentication device will not exactly delight them. The mobile banking market is a competitive one, and convenience and user-friendliness are among the top priorities for customers. Security solutions that introduce complexity and friction, such as hardware tokens, often frustrate more than they protect, causing a reduction in fraud but also a reduction in revenue (due to abandoned transactions). Is there a possibility of using a single device for authentication without compromising on security? 

What makes the use of a single device for authentication so risky is the fact that the first authentication factor (often a password) and the second authentication factor (say, a one-time password) are entered via the same channel. If a fraudster gains access to this channel, therefore, they gain access to both of these pieces of information, effectively putting them in the same chair as the banking user. When the fraudster then modifies this information while still making the user and the bank think they are talking to each other, it’s called a man-in-the-middle (MITM) attack. This is essentially what the researchers from Erlangen-Nuremberg managed to do.

A package deal

It’s true, using a separate authentication device does guard against these attacks. But so does employing a separate, out-of-band channel on the original device, and securing that channel through additional measures such as certificate pinning. What is more, the mobile device offers a level of convenience that no hardware token ever could. In the right implementation, a phone-as-a-token authentication system represents the way of the future: security that protects the customer and makes their life easier at the same time.

Cybercriminals are looking to the mobile device with increasing intensity, but this should not rule out the option to interact with the bank from a single device. After all, customers are also attached to their mobile devices with increasing intensity – making the mobile channel the perfect platform for combining security and convenience.

Subscribe to our blog.


Simon Armstrong

VP: product

Simon Rodway is an experienced software solutions designer and architect who supports Entersekt’s solutions teams in delivering best-in-class services for our clients. His expertise and knowledge take Entersekt’s solutions from strength to strength across the world. His extensive global experience in the information technology and software development industries ensures a refined industry perspective in growing Entersekt’s presence across the world.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.