Event Recording

Panel | Overcoming SMS OTP: Secure passwordless MFA with your mobile phone

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So now we're gonna be looking at finding alternatives to SMS OT O two OTP, SMS OTP is really easy to implement, and it's not it's widely used, but it is not all together that secure. So that's what we're gonna be exploring in this particular panel. If I could ask the panel members just to say who they are, the organization they represent, and then just maybe make a short opening statement, John Tolbert, coop, or Cole,
That was the shortest introduction ever. Hi everyone. My name Isla, I'm a managing director at L 20 ones. We are a consultancy, basically helping clients, taking their digital strategy from paper to production. And so I'm actually not an expert on authentication, but it comes up in every other project we do. And so I think I can bring into perspective on that.
Hi, so Glen Hoover here from telephonic attack. So working in Telefonica's global business for IOT, big data and cybersecurity, and we've been developing authentication solutions and digital identity solutions in the last years, along with many other European mobile operators. And I guess, you know, one, one thing I would add is we often talk about there not being an identity layer in the internet. And that is very true. I totally agree with that. There is no identity layer, but actually if you think about the mobile internet, you know, mobile operators, we do have an identity layer and actually every time that your phone is doing some kind of action, making a phone call, browsing the internet, sending a text message, it's authenticating continuously between that SIM card and our network. And it turns out that's gonna be very useful for things like authentication use cases.
Okay. Paul McGuire. So my background is I'm an entrepreneur, so I've set up a series of different businesses in the tech space, mainly in mobile, actually. So in relevance to this, one of my first businesses was an SMS aggregation business. So a pioneer in the SMS delivery space, a company called MLO, which is now part of CI, which a big CPA player. I then set up a mobile payments business called Boku. And this latest business I'm in is dealing with digital identity and SIM based authentication. And as Glen mentioned, SIM based authentication is probably something that very few people here have heard about, but it's something that's very powerful as the world moves to mobile being a primary device. So hopefully we'll, we'll talk a bit more about that today.
Hello, I'm toss NOK, I'm the CTO of yes. Dot com. We are a commercial open banking ecosystem, allowing bank customers to use their rev identity data and their credentials that they with the bank to identify themselves authenticate and electronically signed with third parties. And we are bringing that to the next two level of the global identity network, which I'm, co-chairing a technical POC for. I'm not directly involved in implementing all the authentication features in the bank, but I'm kind of an observer of the different mechanisms that are being used. And one of the observation is that even though we are speaking about passwordless and getting rid of SMS and passwords, there are still some, some reasons why those are still around. Right?
Okay. So we'll, we'll work towards we'll work towards the solutions, but let's start at the very beginning. What are the main vulnerabilities of SMS OTP when they used for authentication?
So there are many, as Torson said that they're there for a reason because they're easy to use and everyone has access to them rather like passwords, but, but they're floored rather like passwords. They were never designed to be an authentication method. They were a messaging protocol. So fundamentally they have a shared credential. So there's a pin involved when you're sending the SMS. And so it's subject to all the social engineering risks. There are core network layer issues around SS seven. You've got the, the potential to have malware on the device. So you can, you can open that SMS and, and the list goes on. So it's fishable shareable, credential risk primarily.
Yeah. John
SIM swap attacks too. I mean, there are certain mobile network operators that have been in the news for the last couple of years, where if you can successfully get a phone store employee to, to swap numbers, then all of a sudden you start receiving SMSs that were intended for somebody else. So that's one way to reset many, many different accounts. And that's a, a, a problem that may not be numerically as huge as others, but it's certainly one that if it happened to a person, it would be potentially devastating.
And I would like to add, as Paul just said, SMS was invented as a communication mechanism. And increasingly there are modern platforms that have really cool convenient features. So you can relay your text messages from your iPhone to your MacBook, to your iPad and so on. So suddenly the SMS mechanism becomes dependent on the operating system or platform, identity management and authentication mechanisms, right. Something people typically do not really have inside.
And then just to round out the list, I mean, bad actors can use emulators stolen device IDs and, and spoofed GPS locations to mimic phones. As John said, they're vulnerable to SIM swapping. And then of course there's the SS seven floor that can be exploited to intercept SMSs. And the really fun fact there is that protocol's been around since 1975 and we we're still using it. And then of course we've alluded to malware, which is the OUS malware can intercept that. And of course there's good old theft of phone and social engineering. So we've now established that there are indeed several reasons why it is insecure. Why are we still widely using it, including banking institutions?
I think when you talk about banks, especially inertia is, is a big one. So I mean actually moving from, you know, SMS to a modern authenticator is, is really difficult for them. They've got ubiquity there so they can reach all their customers. And I think that's one of the major selling points of SMS. And it should be one of the, I guess, objectives of any authenticator to have ubiquity across platforms across populations. And I guess inclusivity as well. So many of them are regulated entities and they, they want to make sure they can reach the guy with the future phone as well as the guy with the smartphone. So they need to make sure something works for all their customers. And they're starting off with, with SMS. And I think we'll, we'll see a proliferation of different authenticators and then different options in the future.
And actually maybe to add to this, because I'm seeing this a lot in, in the B2B context where we are around, actually, we even have customers that are reluctant to use SMS OTP in the B2B context because they say not all employees have a company issued phone. And so they are not even using SMS. They're using email for the, for the second factor. And I'm, I don't know. I mean, this opens up a new discussion. I was just thinking when you said inclusivity, yes. That's a point, but it can be even worse than, than the bank customer.
I, I would like to add another aspect, which is recovery. So if you're managing user accounts and you manage the credentials through those user accounts is a mobile phone number is, is great because if you're losing your phone, you just put the zoom card in a new device or get a new SIM card from your operator, the whole recovery process, more or less relies on the, on the customer management and, and rollout and provisioning process of the mobile operator. That's that's at easy. It is right. So this is an important factor. And adding to that in regulated use cases, what we have seen is that it's, it's pretty hard to use modern authentication mechanisms like web off N for a simple reason, regulators think differently. So if you have an SMS, there is a there's traceability. So if there is a fraud, you can get hold of the entity that in the end costs a problem and will, will make accountable for that. I mean, I had to learn that first and I mean, that's one of the reasons why, for example, in some use cases we can't use web off and pH authenticators, which is really, really pity.
Actually. I got just a real short addition, which I think the other, in addition to sort of those points, I think one of the other ones is there's, it's quite complex what the alternatives are. So SMS is very well established. It's been there for a long time. Everyone knows about it. And so it's just easy. And so some of these new techniques, like SIM based authentication have real advantages and you get around a lot of the problems that that SMS has in terms of there's no shared credential. It's something that's mobile, native, it's not fishable. It can be high security with low friction. So you've got all these pluses, but no one's ever heard about it. So you've got this kind of well known, but flawed solution. And you've got some new things that are coming through that are still pretty unknown. And I think that transition hasn't yet happened, but I think it will come over time. So
To what extent do you think it's a lack of awareness though? Cause you say it's, it's, it's a well known solution, but all the flaws well known, I mean, you know, we in this community know, but from a business side, you know, you've got a business case, you've got a business use case this meets the business use case. Go, go, go.
Yeah. Yeah. I mean, I think so. I think what do I think, I mean, I think in terms of awareness, awareness will come. And I think with many of the, the, the issues with sort of SMS replacement today, I think the world is going through this transition to, to what I would call sort of new era. So the current era for mobile is that it's still primarily seen as a second factor. So the mobile device is seen as a second factor to which you send an SMS, but actually the world is transitioning now where the mobile device is becoming the primary factor, certainly in a consumer environment. And so, so there's a different sort of paradigm that has to apply when you're thinking about user authentication and security for a primary device. And in, in that context, you've got various alternatives that you could use. And I think the solutions haven't yet been figured out as to what the mix is, same based authentication or biometrics or trusted execution environment or, or some combination of those things. And so I think as, as the word world transitions, then the answers to those will hopefully become clear and perhaps people like us have to help on that journey.
So, I mean, can you add to any of the list on now that we are looking at solutions? So, I mean, are there, are there any other secure alternatives to SMS OTP other than the ones that have already been mentioned?
I think, you know, the one we wanted to talk about and highlight in this session was, you know, we've got a new product called number verify. It's been launched by most of the European mobile operators. It's a seamless non fishable authenticator possession factor. And it's offered by most of the European mobile operators through partners like Paul's business, which is true ID. And I think we've, we've already got customers integrated. So there's two large UK banks integrated to that, you know, replacing their existing customer journeys, which we're using SMS through to use this new SDK based service, which again, uses SIM based authentication using the phone number and, you know, incredible, incredible KPIs that they've achieved so far. So I think we definitely position that as Telephonica and as you know, Vodafone and orange and the other telcos, we position that as a next generation, non fishable possession factor bound the device. And of course there's other stuff in the mix. And we've heard from Andrew today about, you know, Fido Pasky and the rest, this stuff, you know, we welcome all this stuff because we, there should be options that people can choose for consumer or workforce. I am.
So may, may, may I ask a question? So how, how do you solve the recovery problem? Because that, I really like that point you made, because you can, from my point of view, and maybe that's a lament's perspective, you can either either build something that is cryptographically secure, but then you are, you have no chance when you let's say lose the device or you can build something that is recoverable, but then you have to SIM swap attacks and, and other kinds.
Well, I'm not sure I have the answer, but I've got a comment you need a second factor, right? I mean, I think, I think the beauty of a sort of mobile native possession factor like using the SIM is you need to put it in combination of something like a biometric and whether that's a device based or, or even better a cloud based biometric, you need to have something which is independent of the factor that you're using. So it's definitely an issue. You know, I was reading some things about, you know, people getting attacked to have their phones stolen so that you could steal cryptocurrency from them. So you need some sort of independent second or third factor that, that gives you that recovery capability biometric would be the obvious one I'd have thought.
So I would like to add another option. So as I'm saying, I'm observing what the different banks, the financial institution use for authentication purposes. They are moving away from SMS clearly, and that's driven by two factors. One is security by the other one is cost because SMS is expensive, at least in a German market. And what we're seeing is that almost all banks adopt the principle of having an app on the smartphone that is either generating a transaction number or is even sent a push, a push notification. And then the user cannot only authenticate. It can also confirm a transaction and under the latest reg regulation of permits payment services directive, two financial institutions are obliged to in the end, if they authorize access to account information or payment initiation to really bind that, that, that transaction to, to that process of, of, of releasing the transaction and in an app is a very convenient way to do that. On the other hand, the recovery program becomes more evident, but yeah, well, it it's being solved in very traditional ways, depending on what, on what bank you are with some of them, I will have local offices, so you can then just reset it. Right? Yeah.
Sorry. Were you wanting to say something, John, or you just,
Oh, I was just agreeing. I mean, I could tell a stupid story about a banking app that I've seen that you log in with a username and password. It sends you an SMS text and automatically recognizes you've got that text, so you don't have to enter it. So, you know, there's, there's all kinds of ways of doing it wrong and just a few ways of doing it. Right.
Okay. So one potential alternative that I've, I've come across just in, in trying to read up for today's panel was using a cryptography based authentication system that uses multiparty computation, where you compute the key with one share on the server. And one on the mobile phone and the shares are refreshed with each operation to prevent phone cloning. Have you come across this? And is it, is it a, is it a practical solution? I mean, it, it sounds great, but does it work? Will it, could it work
The, heard about those solutions, but I have never seen in a practice.
Okay. Do we have any questions in the room? I've sort of been desperately waiting for some questions from the online audience, but nothing's happened so far. So I just wondered whether there were any questions in the room, because I think this is an important question. I think it's underdressed, but I just wondered whether, you know, there are any representatives here from the industry who could perhaps share a light on, on, on, on, you know, where you, what you're thinking, what you're looking at, potential solutions or questions that you want to, I don't know, Andy, if you've got anything that you can ask offer. Okay.
I think we already mentioned that off and Fido. So
I think, you know, just to go back to SMS again, I, you know, if you look at the stats from Twitter and other providers, GitHub and others, I mean, if you, the numbers are really low, the number of customers they've managed to get in terms of signing up to two FA you know, Twitter's like two or 3% and GitHub, maybe, maybe it's even just, you know, double digits. And so why is that right? Because they can't persuade their customers. It's too clunky or customers just aren't interested in security. So I think, you know, it's good to dig a bit more into that. You know, why customers aren't interested in security?
May I have a comment on that? I think it's that no one wants to go through an authentication process. Right? I mean, I, so the, the people businesses spend a lot of money building fantastic applications, and then what's the experience that a user has, where they have to go through a whole, enter your, enter your email, enter a password, get a text, it's a horrible experience. So, so no one really wants that. And so I think I, my view is that as an industry, what we need to try and do is, is bake the security into the, into the technology in such a way that the human's not part of the process. So at the moment we, we, we require humans to remember long passwords or use a password manager, or get the SMS and retype it and, and, and not give things away. And that's just, it's not right, really.
And, and I think we're seeing that people don't really want that 25% uptake. No one wants to go through that process. But if you can have security, that's built into the device that gives you that strong, you know, possession factor, for example, in the case of SIM, without having to have user friction or user involvement, then suddenly it starts to work because the user doesn't have to do anything other than enter the Mo mobile number. The first time you've got an independent possession factor, which is independent of the hardware and the operating system. And you can do that check subsequently without any user involvement. So suddenly there's a security mechanism that doesn't require the user to do the work, and they don't even need to opt in. It's almost, it's just easy. So I think that sort of combination of the security that's sort of invisible is the way to solve that problem.
Yeah. I fully agree with you. And I think there are examples already where at worked, because can you remember the time when smartphones didn't have biometric lock, unlock functions? I barely remember. And, but, but nowadays it's, it's, it's so easy to unlock the device using face or fingerprint. And so people embrace to factor if they do not really realize it's to factor.
Okay. Well, that's kind of brought us nicely up to time. So unless there are, or any pressing questions in the audience, please give, give a round of applause for the panel.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00