Skip to main content
Industry

Think You’re Protected by Two-Factor Authentication? Think Again

As we move more aspects of our lives online, our expectations around the speed, ease and accessibility of online services continue to grow. Unfortunately for those offering online services – financial institutions in particular – balancing this growing expectation for ease-of-use with the necessities of security is essential. Accounts are constantly under attack and validating identity online is critical to ensuring customer safety, especially when it comes to high-value and frequently targeted financial data. To do this, many financial institutions and industry groups have moved beyond basic passwords and PINs to two-factor authentication (2FA) to increase security and fraud prevention. But even with two-factor authentication, fraud continues to grow at an alarming rate.

Two-Factor Authentication is comprehensive in theory, not in reality

Two-factor authentication builds off the traditional username and password account setup, requiring users to input an additional, randomly-generated code – usually sent to the user’s phone – every time they want to login. In theory, if a person’s username and password are compromised, a would-be identity thief might be able to input a stolen username and password, but they wouldn’t be able to input the randomly-generated code that was sent to the user’s phone.

Unfortunately, this form of two-factor authentication is nowhere near as secure as it first seemed. While two-factor authentication has remained largely unchanged since 2012, fraudsters have spent the last five years developing more sophisticated ways of bypassing the added security. For users who still entrust their safety to two-factor authentication, the security blanket is wearing thin.

Two-Factor Authentication leaves consumers exposed

So long as a user’s security is reliant on a code – or even a call – that they receive, there is always the possibility that the additional identifying information might be compromised by a malicious actor. Indeed, as two-factor authentication has become standard in the past few years, remote phone hijackings have more than doubled,1 and fraudsters have developed a variety of other innovative and malicious avenues of attack.

 One such attack involves social engineering, in which a hacker will trick a victim into sending them private credentials via phishing emails or SMS messages, or synthesize a victim’s identity from the various social media accounts they use online. And while hackers have a plethora of data to harvest from public social media accounts, the sheer volume of sensitive data exposed by frequent breaches across industries and companies makes hacker’s social engineering efforts even easier. Using various pieces of personal information, a hacker will seek to gain control of a victim’s phone number by contacting their cell provider. If the hacker is successful, they can gain access to all accounts the victim has linked to that phone number via two-factor authentication.

Alternatively, fraudsters can attempt a man-in-the-middle attack, in which a hacker tricks their victim into entering sensitive information on an imposter website set up to mimic a real site. By entering their information on the fake site – such as a fake online banking login screen – the victim unknowingly hands their credentials to the hacker, who can then turn around and use them to login to the victim’s bank account on the real website.

Security must be effective – and seamless

Even with more advanced forms of two-factor authentication that can potentially avoid these pitfalls, the extra steps required are enough of a hindrance to stop most people from using it. In fact, one victim of a phone hijacking admitted to having uninstalled a two-factor authentication app shortly before losing $8,000 to a hacker, simply because it was too annoying to use 2.

Between inherent security flaws and too much added complexity, it’s obvious that two-factor authentication is not an ideal fraud prevention solution. One alternative that has been gaining steam is behavioral biometric technology, a system that is based on a user’s unique behaviors.

While behavioral biometrics isn’t a new concept, today’s behavioral biometric technology goes much further by using machine learning and AI to continuously learn about a user over time. More robust systems analyze over 2,000 traits to judge a user’s authenticity, determining how well the user knows the information they’re inputting and the interface they’re using by measuring hand-eye coordination, pressure, hand tremors, and more.

By recognizing a user through their unique mannerisms, behavioral biometrics eliminates the inherent risk that an authenticator can be stolen, no matter how carefully it’s guarded. On top of that, behavioral biometric technology provides users with continuous authentication throughout their online journey, not just a single security checkpoint at the beginning of an online session. And unlike two-factor authentication, behavioral biometrics provides this security without adversely affecting the user experience.

Transform your identity proofing and fraud prevention today

BioCatch is a behavioral biometric technology solution that distinguishes between real users and impostors by analyzing how users act, and not by relying on what users know. BioCatch uses Microsoft Cloud technology to detect and recognize many security threats, including malware, robotic and aggregator activity and remote access threats to stop fraud in real-time, providing continuous authentication from login to logout.

To learn more about how BioCatch will transform your identity proofing and fraud prevention, while minimizing customer friction, try the demo on Microsoft AppSource.


1 New York times, Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency, 2017

2 Medium, How to Lose 8k Worth of Bitcoin in 15 Minutes with Verizon and Coinbase, 2017