2FA For FinTech: Best Practices

Updated: Nov 11, 2021

Strong customer authentication necessarily forms the backbone of any fintech application and it is common to make use of multi-factor authentication (MFA) to provide additional levels of security to protect any transaction from being compromised.

What is multi-factor authentication?

Multi-factor authentication (MFA) encompasses three types of authentication: knowledge (something you know), possession (something you have) and inherence (something you are). Other authentication methods became necessary when passwords could no longer withstand sophisticated hacker attacks.

Global Knowledge describes the three recognized types of authentication factors:

  1. Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.

  2. Type 2 – Something You Have – includes all items that are physical objects, such as keys, smartphones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.)

  3. Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

Why don't use SMS for 2FA and MFA?

One of the more common forms of additional authentication used by financial institutions is phone-based SMS messages (something you know), which function as a second level of security on top of requiring a password.

Though still prevalent, there is more and more evidence against using SMS in two-factor authentication (2FA) because it has not proved to be a secure medium of authentication. Studies are finding that the main issue with using SMS in 2FA is that the cell phone providers themselves and their network are vulnerable to phishing, spoofing, and social engineering.

Protectimus identifies the main SMS 2FA weakness as its dependency on the cell phone service provider. It explains:

“The practice of reusing mobile phone numbers is a distinctive risk. If your one-time password (OTP) is delivered via SMS, all the hackers need to do is get the ownership of your phone number. A criminal impersonates their target and convinces the provider the user’s phone is lost so the number needs to be transferred. Doing this is not as hard as you might think.”

Another issue, it says, is that it is easy to infect a smartphone with malware and intercept the OTP SMS through the phone’s internet connection.

A study conducted by the Department of Computer Science and Centre for Information Technology Policy at Princeton University confirms the risks associated with using SMS as a 2FA. The study, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, notes that, although this means of authentication is ubiquitous as a second factor or account recovery method, it does expose customers to “severe risks”.

It says attackers can intercept SMS passcodes “in a number of ways”, including “surveilling the target’s mobile device or stealing the passcode with a phishing attack”. The most widely reported method for intercepting phone-based authentication passcodes, according to the researchers, is a SIM swap attack. They explain that by making an unauthorized change to the victim’s mobile carrier account, the attacker diverts service, including calls and messages, to a new SIM card and device that they control.

The authors say they hope the findings of the study will see providers “phase out insecure configurations and properly educate users about the risks of SMS MFA.”

Positive Technologies also engaged in an exercise to highlight how easy it is to comprise the security of SMS’s. They hacked into a bitcoin wallet by intercepting text messages and exploiting flaws in the mobile phone company. In so doing, they managed to reset the password to the Gmail account and take control of the Coinbase wallet.

In an article titled Why 2FA SMS is a Bad Idea, Justin Channel says that weak 2FA is in some ways worse than no 2FA at all.

“In the case where SMS- or phone-based authentication is the only option offered by a service, it’s actually safer to skip 2FA. A good password policy will be the best option in this case.”

Despite these flaws, however, SMSs are still regularly used by financial institutions as a second layer of authentication. However, fintechs, whose business propositions rely on the security of their offerings, need to take this evidence seriously and begin implementing the other available, and far more secure alternatives to SMS as a 2FA, which include hardware, software, IP, GPS or biometric authentication.

Strong customer authentication methods