Guest author Maxim Oliynyk is co-founder of Protectimus, an OAuth-certified two-factor authentication solution.
You have probably already heard it said: Important information needs to be kept as secure as possible, especially if it is stored online.
But you cannot rely on a regular login and password for that. Such credentials can be easily surveilled, guessed or obtained through one of the hundreds of hacking tricks. Fortunately, there are more effective data protection methods, one of which is two-factor authentication tested over a long period of time and by millions of users.
Today, virtually every resource that can be used to store valuable information offers users the option of activating two-factor authentication (2FA) for their accounts—from social networks and online games, to mail server and, naturally, banking and payment systems. Since we access these accounts more and more often from our mobile devices, which need extra protection from malicious attacks. Unfortunately, users tend to view extra safeguards as tedious and ignore them, leaving them vulnerable.
However, new 2FA approaches are emerging that could help bring more protection, without the extra burden. The idea: Use the mobile device you’re trying to protect as the security token itself.
There are numerous ways to implement two-factor authentication, however many come with a few pros and cons.
Most often, one-time passwords (OTP) are provided via SMS messages. On one hand, it’s very convenient. But there’s a flip side to it:
- The company incurs additional expenses because each SMS message costs money.
- A third party is involved in the authentication process (SMS gateway).
- Sometimes, it takes up to several minutes to receive an SMS messages, which is not always convenient for the customer and gives potential violators more time to intercept the message.
Other systems use hardware tokens in the form of key chains, flash drives or bank cards, as well as OTP delivery via email. Hardware tokens are relatively reliable, but it is not always convenient to carry them with you. They can be lost, left behind, and require constant attention. The shortcomings of OTP delivery via email are virtually the same as those of SMS authentication.
In the face of inconveniences like these, users often forego the additional account protection, seeing two-factor authentication as a burden. But, with new technologies such as iPhones, Android smartphones, and smartwatches, there’s a new, more convenient one-time password generation method.
My company has been working with CWYS (Confirm What You See), a data signing function that’s an all-new development in the phrase of transaction security. Implemented as a mobile app, along with other features, it uses phones and smartwatches to help protect them against such cyber threats as automated transfer, replacement and data modification.
How Confirming What You See Can Help
Until very recently, violators were able to bypass two-factor authentication using certain types of malware.
Here’s how it often plays out: After the system injection, it waits for a moment when a user initiates a legitimate transfer, at which point it shows the user a pop-up window with a message requesting, for example, that the user should wait while data is being verified.
During this time, the injection performs some actions, hidden from the user, which result in funds being transferred to a drop account; if an OTP or PIN is required, the malware shows the user a fake password request page, but under another (fraudulent) pretext. The unsuspecting user enters the valid code, and the automated transfer system uses the data obtained to complete the transaction.
But due to the activation of the CWYS functions, the OTP-generation process involves using not only the secret key, time or challenge, but also the transaction/transfer details such as the transfer amount, currency, recipient, etc. Thus, even if the password is intercepted, it will be of no use to the hacker.
Safeguarding Gadgets And Their Users
Since people spend more and more time with their phones and watches, mobile devices seem like a natural area on which to focus security efforts.
Approximately two billion people—a quarter of the entire population of this planet—are already using smartphones. In the U.S., Europe, China, Japan, and India, the number of Android and iOS smartphones owners exceeded 50%. More than a third of the world’s population is expected to be using smartphones by 2017.
Developing OTP tokens for smartphones offers several advantages:
- Possibility to choose the OTP-generation algorithm (according to counter, server response, time).
- Additional application protection through the PIN code.
- Possibility to choose the lengths of the one-time password (6 or 8 characters).
- Possibility to create several tokens on one device.
- No need to replace the battery, which is often the case with hardware tokens.
- Possibility to install the application on Android smart watches.
- Data signing functions (CWYS), which protects from such latest hacking threats as automated transfer and replacement.
Two-factor authentication technologies are continuing to develop at a prodigious rate. Manufacturers driving two-factor authentication take into account the latest trends in the field of electronics, analyze potential customers’ requirements and offer the most convenient solutions.
This is crucial work, particularly on our most-used gadgets. The industry must find ways to popularize two-factor authentication on them by making it both secure and convenient. That’s the best way to ensure more protection of every Internet user’s personal information.
Note: Due to an editing error, an earlier version of this article included material that violated ReadWrite’s guest-post guidelines. The article has been updated.
Lead photo by Yuri Samoilov