Multi-Factor Authentication (MFA) with Online ServicesNovember 15, 2011
To strengthen authentication and gain higher levels of assurance that ‘you are who you say you are’, banking and other secure service providers have moved towards the use of Multi-Factor Authentication. Multi-factor authentication refers to the use of more than one factor to authentication identity.
Typically, three factors are available for multi-factor authentication:
- Something you have, such as a key, credit card, driving license or passport;
- Something you know, such as a password, PIN, shared secrets or personal information;
- Something you are, a biometric.
In a multi-factor authentication process, two or more factors are used to increase the assurance that you are who you say you are. For example, extracting cash from an ATM uses a multi-factor authentication process, you need to have a valid bank cards (something you have) and you need to know the PIN (something you know). A point of sale debt card transaction also involves a multi-factor authentication process. You need to present a valid debt card (something you have) and you need to enter a PIN (something you know) to complete the transaction.
MFA Limitations with Online Services
The problem in online services, such as telephone and Internet, is that the number of factors available for authentication is inherently limited. On-line services rely heavy on knowledge, such as PIN’s and passwords (something you know) and are less reliant on something you have such as cards. Internet banking transactions, for example are secured using a single factor, your PIN – something you know, making these transactions inherently less secure and hence more susceptible to fraud. On-line credit card transactions are even more vulnerable, being a zero factor authentication. On-line credit card purchases, for example, rely on you entering valid credit card information and that is it. There is no check to confirm that you are indeed the legitimate owner of the credit card and that it is you authorizing the transaction. This makes on-line credit card fraud one of the most significant issues for expansion of on-line services.
Online transactions are also vulnerable to ‘man in the middle’ attacks, false websites, etc. Telephone transactions are subject to ‘phishing’, social engineering, and the like.
Mandating MFA Security for Online Services
So worried are the banking and financial regulatory authorities that many are now mandating multi-factor authentication to enhance security in on-line services. Singapore, Hong Kong, USA and many European jurisdictions are now mandating multi-factor authentication to secure on-line services.
In the USA, the Federal Financial Institutions Examination Council (FFIEC) recently issued guidelines that direct financial institutions to improve systems for online authentication by the end of 2006. The FFIEC guidelines note “that single-factor authentication, which typically involves submitting only a password and/or a personal identification number (PIN), often fails to protect online banking users. Instead, FFIEC recommended that financial institutions seek multi-factor authentication solutions.”
However, Banking Technology News (August 2006) cites a Aite Group Survey indicating that in the US, “only 57 percent of financial institutions will have multi-factor authentication for on-line banking in place before 2007-and only another 24 percent expect to be on board the following year. Five percent had no plans under way to conduct a risk assessment-the minimum first step the FFIEC expects.”
The US banking and financial services market remains available for multi-factor authentication solutions.