SMS OTPs were a good solution, but they are long past their prime. GSM authentication offers a more robust alternative, according to Lincoln Naicker, Product Manager at Entersekt.
“Businesses need to look for better and stronger authentication methods if they are to meet their obligations to protect customers and their data. GSM authentication offers a truly out-of-band, application-less secondary factor that is both low and easy to implement. For businesses looking to protect all of their customers from fraud, GSM authentication is a great solution.
He says that for many years, SMS OTPs have been the preferred second-factor authentication mechanism, largely for convenience. “Almost everyone has a cell phone, which is always with them, and everyone knows about texting. “
However, he says the tipping point where the security risks posed by OTP (SMS) technology outweighed user familiarity was reached some time ago.
“The SMS channel is not considered the most secure for many reasons. Our phones are susceptible to a number of Trojans which exploit open access to SMS on mobile phones specifically to intercept OTPs. In addition, mobile SIM exchanges or SIM clones can also considerably devalue this mechanism as an authentication option, ”explains Naicker.
He says reducing SIM swap fraud is the reason for GSM authentication. This turns the real device into a unique identifier, communicating directly with that device via real-time push notification over the mobile network.
Using a separate authentication channel makes it more difficult for a malicious actor to intercept and subvert the authentication process – as in the case of a man-in-the-middle attack – as the attacker would have to compromise two communication channels.
GSM is also simpler, as customers do not need to register, register or register, he adds. An authentication message is automatically transmitted to their mobile phone when they attempt to interact with their institution which must be authenticated.
Naicker says that Entersekt has grown its offering to include patented technologies as well as direct integration with local mobile network operators (MNOs).
The customer sees a deny or accept message when about to connect or perform a sensitive transaction, but in the background, Entersekt applies complex algorithms that verify the identity of the device and can also see if a SIM card has been swapped recently. This information will be reported to the institution, warning it of a potentially risky transaction.
“It fits into the security of today’s businesses, which must do everything in their power to prevent fraud and protect their customers,” he says.
Businesses that don’t want to force their users to download another app, or want a secure fallback authentication method in the event their app crashes, can also rely on GSM authentication as an improvement option. .
He says this authentication method is ideal for SA organizations. “The USSD functionality means customers don’t need to have a smartphone. This is great for businesses where inclusiveness is a high priority, especially healthcare, financial services, and even government services. “