Creating Strong Mobile Authentication Security for Members

Credit unions and other financial services organizations are vulnerable to cyberattacks launched against their members. Multi-factor authentication (MFA) or Strong Customer Authentication (SCA) solutions provide some sort of defense, but there is debate about better options available in the market. Mobile authentication solutions have gained popularity with convenient experience that can be enjoyed with mobile applications. However, these solutions must also be properly secured.

Attack volume soared to new heights as the world’s reliance on all things digital is increasing; in 2021, there was a new cyberattack every 39 seconds. The cost of cybercrime is also reaching ever more eye-popping amounts. It cost organizations $1 trillion in 2020 and is expected to top $10 trillion annually by 2025.

Today many mobile authentication applications have several problems and lead to vulnerabilities that cause further issues and more cyberattacks. These include secure codes, also known as one-time passwords (OTPs), that are sent by SMS to consumers’ mobile phones. These have been targets of cyber-attacks and no longer provide that safety that consumers seek. Another technology is push notification-based authentication, which provides organizations with a more powerful combination of security, flexibility and usability. Push uses cryptographic techniques to link a specific device to its owner’s identity, preventing attackers from impersonating someone without physical access to the device. A simple request that requires the user to make a binary choice to either “approve” or “decline” the transaction is more convenient and secured option than an OTP received via SMS and re-typing it into the phone.

There are challenges at every step, and the full mobile authentication lifecycle consists of registering the user’s device and providing secure credentials to the user. It is crucial that user credentials are protected and secured communications are in place between users, the application and back-end servers. More importantly, it is imperative to maintain security throughout the member lifecycle and prevent massive attacks.

There are various challenges that lie within mobile authentication lifecycle implementation, including the following:

1. Registration and recognition of the user’s device.

Authenticating a person’s digital identity means recognizing if and when they are using their device. Attackers can impersonate the user by transferring their data into a real or virtual clone of the real mobile device. To protect the user’s device, anti-cloning technology can be used to make sure that no one can gain access through this type of fraudulent device.

For a strong authentication solution, it is best to stop cloning and secure individual keys with a unique device key that is given during the provisioning process. This can be achieved through multiple layers of cryptographic protection.

2. Provisioning secure credentials.

The process of managing users’ identities and issuing credentials to their mobile devices must be secure and safe from cyberattacks.

In the mobile authentication process, public-key cryptography (which is based on a mathematically linked private/public key pair) is used to activate user devices. In this public/private pair, the private keys generated by the consumer’s device are considered secret. They never leave the device, so there is less chance a credential will be compromised.

When an exchange of secret key material is required between a mobile authenticator and the authentication server, two extra steps must be taken. These steps ensure a secure exchange of the secret key material between the client and server:

• The initial authentication of the user to establish a secure channel
• The establishment of the secure channel itself
• Safeguarding user credentials.

It’s important for organizations to implement strong policies to combat different attacks and phishing schemes. With the best mobile authentication solutions, organizations can solidify disparate password policies and tackle different processes, such as push notifications, or entering a PIN/password or biometric marker.

4. Ensuring secure communications.

As sensitive data passes through insecure channel communication between users, mobile authentication solutions and back-end servers must be encrypted at all times. It should be ensured that communication with the correct server is in place. For transport level security, TLS protocol can be relied upon. TLS 1.2 secures the transport layer so that every message exchanged between the authentication solution and the server – and any notification sent to the mobile device – is protected.

5. Blocking real-time attacks.

All attacks need to be halted ahead of time with efficient applications as zero-day vulnerabilities gain momentum. Runtime Application Self Protection (RASP), is a set of controls and techniques to detect, block and mitigate attacks that are made while the application is running. This prevents reverse engineering and unauthorized code modification – without human intervention. It is imperative to have multi-layered defense processes in place to prevent dangerous breaches.

These could include code obfuscation that makes decompiled source code harder to be detected by humans, tamper detection technologies such as ASLR, stack smashing and property list checks to ensure there are no compromises. Also, jailbreak and emulator detection enforce policies that can detect which devices are and aren’t trustworthy.

6. Streamlining authentication lifecycle management.

The cryptographic keys and certificates issued to devices have finite lifecycles to decrease the risk of their compromise. The shorter the lifecycle, the more secure the key. The organization needs to have tight management and renewal plans once there are shorter lifecycles with a solution that doesn’t force users to constantly re-register for the service. The best authentication solutions can determine the length of a key lifetime and enable the server to renew a device’s keys before expiration.

7. Preventing brute force attacks.

Brute force attacks are on the rise, and they use trial-and-error to break into login info and encryption keys. Cybersecurity researchers at the internet security company ESET detected 55 billion new attempts at brute-force attacks between May and August 2021, more than double the 27 billion attacks detected between January and April of the same year.

Mobile authentication solutions rely on a variety of different techniques to counteract this type of attack. Many effective techniques can be implemented to prevent this further, including the following:

• Delay locks set off an escalating series of delays when users enter the wrong PIN or password before retrying;
• Counter locks render passwords invalid after a certain number of unsuccessful attempts; and
• Silent locks give users no feedback when they enter the wrong PIN or password; they simply lock people out of the system.

In summary, third-party audits and certification compliance reviews – internal and external – are the most effective way to ensure that authentication solutions are stable and secure. Internal reviews should verify the solution against a set of security controls based on the industry standard: The OWASP Application Security Verification Standard (ASVS).

Mina Nguyen is Regional Sales Manager at HID Global Consumer Authentication. HID Global is a provider of physical and digital identity verification solutions headquartered in Austin, Texas.