Passwords and PINs predate the first moon landing, yet we still rely on them to access personal and professional devices and applications. Why? They can, and often are intercepted and stolen. Every time we type a username and password combination into a website or application, we transfer that information over the internet. And so hackers create fake sites that mimic legitimate login pages. They send fake “password reset” emails to users to steal credentials. They even use a type of malware called a keylogger that records keystrokes and reports usernames, passwords, security questions and other login information back to cybercriminals.
Out-of-band multifactor authentication (MFA) helps solve these problems with the combination of a possession-based authentication token such as a phone and a completely separate communication channel from the one used to initiative the login. When a user enters his or her login information on a computer, a notification is sent to that user’s previously registered phone, with a prompt to provide a secret number into the computer. In this way, even a fraudster who has the username will still not be able to complete a successful login without possession of the phone.
Phone-based out-of-band authentication (or phone-as-a-token) is appealing because most people already own a mobile phone. Phone-as-a-token is more secure than passwords and more convenient than carrying around a USB dongle to use as the out-of-band token.
Out-of-band authentication must evolve to include biometrics
Possession-based phone-as-a-token is a step in the right direction, but it still isn’t enough. Possession, like the knowledge of a password or PIN, can still be transferred. A lost or stolen smartphone becomes a liability since the physical device is functionally a token.
Furthermore, NIST has “deprecated” the use of SMS-based text messages for use towards out-of-band authentication under “Special Publication 800-63-3 Authentication and Lifecycle Management.” Their argument is that SMS messages and phone calls are too easy to redirect to another registered device. Hackers can compromise the carrier account through standard phishing tactics and malware (e.g., stealing the username and password, keyloggers). If this happens—and it has—the out-of-band token becomes about as effective as a stolen password at securing the account.
For even stronger security, a second factor can be used in conjunction with the possession-based approach; something the user is. A phone can be stolen and a registered number can be altered or redirected, but a live biometric sample like a face or voice cannot be taken away. Liveness detection mechanisms and the use of multiple modalities make sure of that. Biometrics enhance out-of-band authentication so that a login can only occur when the face and/or voice of the authorized user is physically present.
Biometric MFA in practice
Biometric out-of-band authentication works similarly to traditional out-of-band authentication. With each login attempt, an authentication challenge is sent to the registered device. The only difference is that the challenge is a biometric scan instead of a secret code. The user doesn’t just need to prove that he or she has the device, but that he or she is the authorized user.
Mobile biometric authentication using face and voice does require smartphones with cameras and microphones, as well as the processing power to handle one-to-one biometric matching. But this technology is native to the vast majority of the leading smartphone models.
When employees attempt to access an enterprise application via web browser, they enter their usernames as usual. A notification is then pushed to their registered mobile device. Possession of that device is the first “test.” The second challenge is that the user must complete a biometric sample capture to prove that he or she is the person in possession of the device at the time of the login attempt. This has three key benefits:
- It makes it extremely difficult for fraudsters to acquire illicit access to corporate applications.
- An un-requested login notification indicates attempted fraud.
- It helps securely address the fact that enterprise workers often access systems via multiple locations and endpoints.
The use cases are nearly endless
The beauty of biometric out-of-band authentication is that it’s mobile. It goes where it’s needed. This makes it incredibly useful for consumers, but also for enterprise users, who increasingly work from outside the office but don’t want the hassle of caring for a USB-based token, or the risk that they don’t have it when they need it.
Today’s enterprise biometrics solutions integrate well with leading identity and access management platforms, and can enable either device-centric (e.g. FIDO Certified) or server-centric implementations. Biometric enrollment is user-friendly but secure thanks to the use of liveness detection and multiple modalities.
Likewise, out-of-band biometric authentication can be useful in most consumer markets, and not just the obvious candidates such as banking. For example, imagine a world where pharmacy customers can opt to receive an out-of-band text message that prompts for facial recognition when they attempt to pick up a prescription. The added convenience and security of biometric authentication makes for a virtually endless list of use cases, from the enterprise to healthcare, retail, insurance, banking, and beyond.