Skip to main content

Why mobile authentication IS NOT and WILL not cut it


Quite a bit of discussion came up after my article on Double Octopus and TokenOne who both rely on mobile authentication. For the uninitiated mobile authentication is the use of a mobile phone for primary or secondary authentication/ logon.


So here are my top reasons that mobile authentication will not cut it:


Reason 1: No one uses it today even though all the big companies have mobile authentication systems
Google Authenticator is the most widely distributed and used mobile authentication app but…. look for it in the app stores top downloads list. It does not appear in the top 200 list for any market. And using the rule that there are 1,000 downloads for every comment then it’s a dead man walking. On top of that, I downloaded Google Authenticator so I am a downloaded but I only used it once. It feels like getting my keys out every time I want to go on a website. I wonder if any of the people touting mobile authentication have used it! Note: Google claims millions of downloads but I can’t find any place to verify this.


Reason 2: not everyone has a phone and not everyone with a phone has it with them all the time.
According to PEW RESEARCH, only 77% of Americans have smartphones. Everyone can use a PIN. 1 out of 4 DO NOT have a smartphone. Sorry but to have to support multiple systems across any system let alone a banking system is too much of a big ask. It’s unfair to even ask them to consider it.


Reason 3: Mobile authentication sounds good in principle but is it really secure?
One of the rules of security is to have multiple factors in a secure authentication (ie two or more) of a) something you know b) something you have c) something you are. A PIN is something you know and identifies the user… if your phone is something you have but there is no PIN then you are only getting one factor… not good practice… Haventec Auth combines the user's PIN with a device identifying rolling private key so even though there is only one action the process is true multi-factor AND if you use thumbprint biometrics to trigger your PIN then you can substitute the “something you are” for a little more convenience.


Additionally, security firm Sophos reports that 67% of smartphone user's do not have password or PIN protected access to their phones. This alarming figure means that anyone who can access a target's phone can log on without knowing anything except their account name. The more I write this the more concerned I get. Even Google only uses mobile authentication as a secondary credential behind a username and a password, so using only a phone authentication is pretty dangerous.


If you are going to use the “something you have” credential as your primary or even ONLY credential then you need to use something that is a lot easier to protect than a phone that gets left on a desk or in a purse or with a friend. Something small and constantly on your person… something… but that’s for another blog and something I’m trying to talk my team into considering soon.

---- Quote from comment on Double Octopus vs Haventec article ----
I am not sure I 100% agree.

I think the elderly represent a very small percentage of a banks customer base and if they have needed to do a transaction over the last decade they have already encountered a dongle, an sms or a push notification. Although I accept someone may have helped – they have already overcome this hurdle. The new elderly (ie: people becoming elderly) have been using a mobile phone for a long time to facetime/whatsapp family and friends and do banking transactions. I am also not sure they are the core target market for many other services that rely on authentication (ie: dropbox, amazon, ebay, instacart, gmail etc).

I think that the dongle was terrible as you only needed it for a transaction. Today, people have their phone with them 24/7 for a wide range of reasons: calls, whatsapp, facebook, email etc etc. Plus they have been taught that it is a requirement for a banking transaction. As a result, using it as a step in authentication is not so scary if it actually solves the security flaws associated with the current methodologies out there. Secret Double Octopus seems to have removed most if not all of those security flaws. Not sure that sharing a computer matters with their solution – I can’t see a reason why that would impact their implementation.

The thing I liked the most was how they balanced security and user experience. Not needing a 4 digit pin per application was a big plus for me.

To be clear, I also very much like the Haventec solution and my comments are really just about the use of a phone in the process.

Cheers
G

----- End of quote -----
Real Time Web Analytics