What Is Phone-Based Multi-Factor Authentication?
Authentication, a process by which any system identifies a user, is considered to be one of the weakest points in computer security today. Very often we hear about a computer breach or incident of compromised credentials. The recent one was the case of Linked In. With the upcoming new technologies like cloud computing the risk has grown manifold.
Authentication systems that rely only on user names and passwords are subject to a number of vulnerabilities, which led to a discussion of using pass phrases instead of passwords. For a more detailed discussion one may refer to
Usage of passphrases has its own pros and cons but as per my personal opinion using pass phrases increases the risk of mis-typing and getting your account locked.Hence it is not a concrete solution.
Let us remain focused on Multi-factor authentication as a more secure way. Multi-factor authentication adds a critical second layer of security to user logins and transactions. It works by requiring any two or more of the following:
• Something you know (typically a password)
• Something you have (a trusted device that is not easily duplicated)
• Something you are (biometrics)
Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password.
Until recently, the predominant multi-factor authentication system has been security tokens, like RSA’s SecurID. Security tokens rely on a hardware token that generates a One-Time-Passcode (OTP). The user is required to enter the OTP into the login screen to verify that they have possession of the trusted device.
While security tokens provide an additional level of security over single-factor authentication, they have proven to be cumbersome for IT departments and end users. In addition, more sophisticated threats have emerged that can defeat security tokens.
Phone-based authentication systems leverage the user’s telephone as the trusted device for the second factor or authentication. Cellphones are extremely difficult to duplicate and phone numbers are extremely difficult to intercept. The combination of the phone and a username/password yields strong, multi-factor authentication with minimal impact on the user experience.
The phone is an inherently user-friendly device and is accessible for users with disabilities. Everyone knows how to use a phone, so no end user training is required. Since security tokens must be provisioned, mailed and replaced, they require significant IT resources to deploy and support. With phone-based authentication, there are no devices to deploy. It can be quickly enabled for large numbers of geographically diverse users and is cost-effective to set up and maintain.
By leveraging the user’s existing phone, Phone-Based Multi-Factor Authentication provides unmatched convenience for users and additional security features, like PIN mode, voiceprint, and transaction verification.