Phone as a Token Explained
Here’s How Soft Token Authentication Can Help You Save Money, Remove Friction, and Maintain Strong Security
Running a digital company in a world where cyberattacks are an everyday occurrence is a delicate balance.
Customers want a low-friction experience, but your business requires strong security, and in industries like banking, insurance, and healthcare, there are strict government regulations to consider.
With regard to the security and regulatory pressures, most organizations have realized the need for multi-factor authentication (MFA), which requires the customer to demonstrate a combination of knowledge (something they know), possession (something they have), and inherence (something they are).
But not all MFA is the same—in fact, far from it. Both the security and convenience of an interaction depend greatly on the particulars of your MFA implementation.
Inherence factors, otherwise known as biometrics, will typically offer both the strongest security and the best customer experience (since they’re fast, difficult-to-spoof, and can’t be lost or forgotten).
Conversely, knowledge factors like passwords and secret questions are typically the weakest security link and very often the biggest source of customer frustration.
But what about possession factors? Are they secure? Convenient? The answer to those questions depends largely on what—precisely—is being possessed.
The Age of Hard Tokens
Before smartphones were ubiquitous, most companies in search of a possession factor turned to dedicated hardware tokens (often referred to as “hard tokens” or “RSA tokens,” even though RSA is only one such provider of these).
Such devices present strong security (you’d have to physically steal the device to use it) but considerable drawbacks for the business and its users—namely the expense of issuing and re-issuing physical hardware, and the annoyance of having to carry around an additional device, respectively.
Today’s hard tokens are better than they were. Instead of copying random numbers off the side of an RSA device, modern hard tokens like YubiKeys hook directly into the USB port of your laptop, or they can connect to your NFC-enabled phone with a tap.
But these devices are still expensive—too expensive for most businesses to issue to a large customer base. Some banks, including several in Europe, do still mail card readers to their customers as a means of increasing the security of online banking transactions. But these organizations are increasingly moving away from this model, and it’s largely because…
Your Phone Is an Ideal Possession Factor
The rise of software-based tokens, called soft tokens or phone-as-a-token, has been a game changer for the MFA process. Not only is carrying around a phone something most of us already do, but the advanced security features in your typical smartphone are superior to those in any other hardware device (save a laptop or desktop computer).
That said, not all soft tokens are created equal. (Are you sensing a theme in this article?) The way your phone-as-a-token possession factor is implemented can have a big impact on its security and usability.
For instance, the most common—and arguably least secure—way to use your smartphone as a possession factor is through sending One-Time Passwords (OTPs) over Short Message Service (SMS), also known as “Text Messaging.”
In theory, if you’re using a tablet or computer, and an SMS message is sent to your smartphone, it creates an “Out of Band” authentication, which means an attacker would need to physically control both of those devices.
In practice, however, attackers can get control of your SMS message through a process called “SIM Hijacking,” a form of man-in-the-middle attack in which a fraudster convinces your mobile carrier to switch your phone number over to another device (that they control).
Needless to say, any security measure that can be defeated by social engineering leaves you vulnerable, and with this method, a business is essentially outsourcing its security to a mobile carrier, which may or may not have adequate security in place.
[Editor’s Note: Choosing OTP over SMS as a smartphone token is a little like choosing Minesweeper as a video game; sure, it’s better than nothing, but your phone is capable of so much more.]
Possession Enhanced with Device Binding and Biometrics
To create stronger phone-as-a-token security, you’ll need to take advantage of the smartphone’s intrinsic security capabilities, chief among them the ability to store cryptographic private keys inside secure containers within the device. Leveraging this capability, you can use a public-private key pair to strongly link (or “bind”) a registered mobile device to a specific user’s account.
With device binding, you can be certain the customer using your company’s mobile app is in possession of the registered smartphone associated with their account.
But that’s not all.
Most smartphones are equipped with multiple biometric sensors—namely cameras, microphones, and fingerprint readers—which customers can use to demonstrate inherence and possession simultaneously.
Here’s how that might work:
When a banking customer using a web browser attempts to transfer money out of her account, a push notification gets sent to the bank’s mobile app on her smartphone. The customer uses her face (inherence) to log into her account, which is cryptographically bound to the device (possession). The app then displays the transfer amount (allowing her to verify the transaction details) and a prompt to either authorize or reject the transaction.
Alternatively, the bank might decide to simply add an OTP generator inside its mobile app. Unlike with an OTP over SMS that relies on a mobile carrier, this OTP’s security is controlled by the bank, which sets the rules for authenticating into the app.
What’s more, the bank might choose to add or remove authentication layers in accordance with the risk profile of the customer or the specific transaction in question. Meanwhile, the smartphone can be delivering signals to the bank (e.g., has this device been jailbroken or rooted? What’s the geolocation of this device?) that could help determine those risk profiles.
The Delicate Balance, Revisited
And yet despite the sophisticated functions of the smartphone—or perhaps more accurately, because of those functions—phone-as-a-token will likely always be somewhat more vulnerable than dedicated hardware.
By virtue of having an operating system and persistent network connectivity, phones are more susceptible to hacking from a distance, particularly when their software is left without updates or necessary security patches.
In addition, the “Out of Band” benefit that occurs when a smartphone is used to authenticate a web interaction on a tablet, laptop, or desktop computer is lost when the web interaction originates on that same smartphone—something that’s becoming more common these days as customers increase the breadth and frequency of their smartphone interactions.
But while hard tokens may still have a place in very high-security applications, it’s important to remember the balance between security, convenience, and regulatory mandates. In most instances, phone-as-a-token authentication ticks all those boxes and delivers an authentication experience that’s inherently (or should we say possessively?) more customer-centric.
Need a solution for phone-as-a-token, inherence factors, and best-of-breed MFA? Click here to learn more, or get a quick demo.