Two-Factor authentication has become table stakes for businesses today. Customers are pushing hard on businesses which haven't made the transition. For a secure two-factor authentication operation to occur, it is critical for the user to have two elements:
- Something they know (such as a password, PIN, etc.) as the first factor and
- Something they have (token, USB key, etc.) as the second "out of band authentication" factor
What is Out of Band Authentication?
The core concept is that even if the (first factor) password is compromised by a bad actor, the second factor is still "out of band" for them. In order to have a truly secure form of authentication, this second factor must be completely out of band. In other words, the second factor must be completely unreachable by the bad actor.
Current Authentication Methods
Prominent two-factor authentication methods such as SMS, Authenticator Apps, and USB Keys do offer a viable second factor. However, they are far from being completely out of band authentication. Authenticator Apps and USB Keys are strong second factors, but they still have the risk of being stolen by the bad actor and thus somewhat reachable. SMS one time pin-code (OTP) which is by far the most popular approach is the least secure of the lot. A bad actor can access SMS OTP via SS7 hacking, malware or just some social engineering. This makes it very accessible by a fraudster and hence not a true out of band authentication mechanism.
To achieve the best two-factor authentication, we need a true out of band authentication model. This is where the wireless carrier network comes in.
Out of Band Authentication with Carrier Network
Wireless carriers have invested hundreds of billions of dollars to ensure highly reliable and secure mobile network. This investment ensures that calls, text messages, and data always make it to the right device without failure. Moreover, the security model employed by the wireless carrier networks ensures no one can listen in on your calls or access your data session. This very network technology is always aware of the phone number at all times when the phone interacts with the network. This fact makes it the perfect candidate for a reliable and secure true second factor for out of band authentication.
Wireless Carrier + Boku Phone Verification
Boku in partnership with the Wireless Carriers leverages this very network capability to verify the phone in session for its Phone Verification Service. When your app uses this service and makes the API call, the wireless carrier detect that data session and the phone number behind it. Boku’s platform then checks with the carrier systems to verify if the phone number sent by the user/app was indeed the phone number in the data session. Here is a call flow to illustrate the flow:
In Conclusion - Be Proactive
With the recent spike in breach and fraud activity, we as an industry must be vigilant and evolve to stronger methods of authentication. Moreover, as we increasingly become a digital economy, this is a must-have requirement with all business systems.
Leveraging the reliable and secure wireless carrier network as the out of band authentication channel for phone verifications and two-factor authentications is such a next step in bolstering access to applications and systems.