Silent Second-Factor Authentication (SSFA) is a way of delivering two-factor authentication (2FA) without initiating a separate communication with the client over a new channel. Instead of requesting that the client submit a verification code delivered over a separate channel, SSFA queries the serving network to authenticate the device the client is using. This not only provides for a better user experience, since the client’s session is not interrupted by the receipt and resubmission of a passcode, it is more secure since it is impervious to socially engineered man-in-the-middle attacks that intercept and repurpose the passcode. This blog presents what you need to know about Silent Second-Factor Authentication and why it may be the right security solution for you.
Two-Factor Authentication vs Silent Second-Factor Authentication
Two-factor authentication (2FA) is a security measure that requires users to provide two different ways of verifying their identity when accessing a system. The first factor is typically something the user knows, such as a password or PIN, while the second is typically something the user has, such as a security key or smartphone. With two factors, 2FA provides an additional layer of security that makes it more difficult for attackers to gain access with phished, hacked or stolen credentials.
Some 2FA methods rely on possession of a physical or digital token as the second factor, but the most common form of 2FA is an SMS one-time passcode (OTP) delivered to a smartphone. The objective of the SMS OTP is to ensure that the client is in possession of the phone with the mobile number associated with the client’s account. When 2FA by SMS OTP is used, a fraudster with phished credentials cannot log in unless they have also stolen and unlocked the victim’s phone.
SSFA delivers the benefits of 2FA by using a secure connection to the mobile network operator to verify the mobile number of the connected device the client is using, instead of verifying possession by sending an SMS OTP. This is more secure and more discrete, and, since the relying party is only seeking yes or no verification, the network operator does not have to release any of the mobile subscriber’s personal information.
More sophisticated fraudsters can try to overcome both 2FA by SMS OTP and SSFA by taking control of the victim’s mobile account. This, too, can be protected against, and will be the topic of a future post.
Advantages of Silent Second-Factor Authentication
Silent second-factor authentication has advantages of other solutions due to its ability to improve both security and customer experience simultaneously.
An SMS OTP can be redirected, or intercepted by a fraudster using a social engineering attack. Fraudsters impersonating bank security professionals have been known to call bank clients and trick them into revealing the SMS OTP’s sent by the bank. The fraudster may ask the victim to participate in a “test” to verify the security of their account. They are told that part of the test involves the transmission of an SMS OTP to the victim’s phone to ensure that victim is receiving the correct code. In the meantime, the fraudster uses stolen credentials to login to the victim’s account. When the actual bank sends the victim an SMS OTP to verify the login attempt, the fraudster tells the victim that this is the test code that the victim should repeat back to the fraudster. The fraudster then uses the code to gain access to the client’s account. Since SSFA does not rely on a passcode, hijacking of a code is not possible.
On the customer experience front, acknowledging and returning an SMS OTP interrupts the client’s user experience. SSFA lets users log in quickly and easily with a more streamlined process that operates in the background.
Overall, Silent Second Factor Authentication is a convenient and secure option for companies looking to protect their client accounts from unauthorized access by adding layer of security while minimizing friction on the part of the user. As a result, SSFA may well be the evolution of SMS OTP for account access over mobile devices.
EnStream offers Silent Second-Factor Authentication, a secure and convenient way to protect your online accounts. Contact EnStream today to learn more about how our SSFA can help keep your accounts safe and secure.