Top six barriers to implementing MFA over the phone


Multi-factor authentication, commonly known as MFA, is considered a superior authentication protocol for enhanced account security. However, there are practical challenges that prevent its widespread adoption.

MFA is an authentication technique used as an additional layer of security for enhanced protection of user accounts. It goes beyond the first degree of authentication – usually a username and password – that most consumer-focused businesses have.

Depending on the industry and applicable regulatory or compliance needs, the AMF can be used in several variations such as:

  • Simple OTP (One Time Password) to verify user has shared phone number or email address for verification.
  • Passive control based on information collected around a PII.
  • Instant video verification.

In recent years, more and more organizations are moving towards a combination of active and passive MFA. This allows them to passively identify the associated risk based on an anchor, typically a phone number, and then actively challenge the user through an OTP to determine possession. This technique is becoming popular because it serves businesses well and allows them to play in the passwordless strategy that the world is heading towards.

Benefits of MFA over the phone:

Telephone signals are often strongly correlated with fraudulent intent. As a result, they are widely used for authentication purposes. Some of the signals that are generally used to determine the intention of account recovery, new fake account creation, and similar attacks include:

  • sim card exchange
  • Portage history
  • Deactivation event

In addition, the data of telecommunications operators collected at the point of registration such as name, address, etc. are used to meet strong authentication requirements (SCA).

Faults of MFA over the phone:

Despite its authentication strength, the implementation of MFA authentication faces a number of hurdles as shown below:

Telephone data correlated with fraudulent intent is not ubiquitous. Given the regionalization of telecom operators, hundreds of partnerships with multiple telecom operators are required to access this data, which can often take years of effort.

Telecom operators are not always sophisticated with their data pipelines. Therefore, even with an agreement in place, it is not always possible to obtain the information without substantial effort and several years on the part of the telecom operators to upgrade their systems.

Given the effort required by telecom operators to make the required data available directly from them, data is almost always expensive. This results in lower transaction volumes, resulting in a fragmented understanding of the end user. Because consumer companies orchestrate calls to these vendors, more often than not, these vendors cannot accurately predict the true risk associated with the end user. This is a loss situation for both carriers, suppliers and consumer companies.

It plays an important role since the data processed is PII (Personally Identifiable Information). Some of the laws that limit the ubiquitous use of data are:

  • RTBF – The right to be forgotten in GDPR (EU) prohibits any provider from using an end user’s personal data in the mix to identify fraud.
  • Don’t Sell My Information – This prevents a carrier from sharing any data about an individual. Sophisticated fraudsters use this technique to evade identification.
  • Data regionalization – While not as big a burden as the first two, the inability to centrally cross-reference data creates a significant barrier to identifying fraudulent intent. To top it off, several other countries like India and Australia are moving towards their own data location laws.

Consumers in several countries, especially in the EU like Germany, are extremely cautious about using phone numbers to sign up for new digital accounts. This consumer reluctance can prevent businesses from understanding what good user behavior looks like, creating opportunities for scammers to hide in the mix.

While making data available for identification and fraud prevention purposes is a great monetization tactic for carriers, the number of breaches, general consumer sentiment about privacy, and the laws furthermore in addition to stricter confidentiality rules have made more and more telecommunications companies skeptical of this activity. This has also contributed to the problem of data fragmentation.

These challenges of implementing multi-factor authentication over the phone are real, making it an expensive and time-consuming proposition.

Protect the sanctity of user accounts

The sanctity of digital user accounts cannot be compromised. Digital businesses therefore need a solution that can help them quickly protect user accounts against evolving attack tactics, without disrupting their digital experience. While MFA over the phone remains a valuable tool in the fight against fraud, it is not a silver bullet to solve all user authentication problems. On the contrary, it can be complemented by a solution that offers a dynamic and flexible approach.

Arkose Labs leverages its network data to assess underlying user intent, which eliminates reliance on third parties and speeds up the authentication process. Additionally, analysis of hundreds of device settings combined with advanced machine learning models helps identify and stop fraudsters. Based on a real-time risk assessment, inbound users are presented with appropriate 3d challenges. Good users may not even see them and continue their digital journey, while automated bots and scripts instantly fail. Persistent and malicious humans face an endless stream of challenges that keep increasing in volume and complexity. This targeted friction wastes attackers time and effort and bankrupt the business model of fraud, forcing the attackers to give up and move on.

To learn more about Arkose Labs’ cost-effective, user-centric approach to fighting fraud, book a demo now.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs and written by Ashish Jain. Read the original post at: https://www.arkoselabs.com/blog/top-six-hurdles-in-implementing-phone-based-mfa/


Source link

Previous Rumor mill about the offers: Telecom Italia, Colgate Energy, MoneyGram
Next The European UCaaS market will accelerate in 2022