MFA presents a challenging task for product managers, who must balance security and UX. Regulatory mandates like PSD2/SCA and GDPR lead to high security but typically introduce friction, hurting the user experience. This article explores innovative approaches that enable organisations to reconcile these seemingly conflicting priorities.
PSD2 and strong customer authentication
Many organisations kept the password-based authentication they had in place before the SCA requirements and added One Time Passwords (OTPs), PIN codes or biometrics to the MFA equation.
The problem with passwords
On top of that, they frustrate users. Various studies have shown that users suffer from “password fatigue”. This is the stress caused by the increasing number of complex passwords users must use and remember, especially when they’re required to submit passwords on their phones.
One-time passwords are no better
OTPs exacerbate the problems caused by passwords. In terms of usability, OTPs leave much to be desired. They’re typically sent by SMS or email, or generated by an additional hardware or software token, i.e. authenticator app on your phone. The user must then copy the OTP and transfer it to the application they’re authenticating to.
These methods create a considerable amount of friction. SMSes and emails containing the OTPs often don’t get delivered on time, if at all, and having to leave an application to get the OTPs takes users out of their momentum.
The price users pay in terms of UX isn’t compensated by more security. On top of being prone to various social engineering attacks, OTPs have poor brute-force security and do not provide non-repudiation.
Get rid of passwords and implement public-key cryptography
The solution is as radical as it is obvious: get rid of passwords and OTPs and replace them with public key cryptography. Public-key cryptography ensures that when the user submits their authentication factor, the secret or private key prompted by that factor never leaves that device. It also eliminates the necessity for passwords and OTPs.
Public-key cryptography ensures that the server never gets to know or stores the secret and verifies it in zero knowledge. Even if the server’s authentication database leaks, bad actors can’t impersonate a user. Public-key cryptography thus reduces the risk of a bad actor performing an account takeover.
Public-key cryptography comes in many forms
On top of providing the best possible security, public-key cryptography puts organisations in the position to provide frictionless authentication factors.
If they choose the right tools, that is. Some organisations incorporate additional hardware tokens into their authentication setup. While these might increase security, they severely hamper usability. Hardware tokens compel customers or employees to use another tool to log into their accounts, sign documents or confirm transactions.
The most convenient way to benefit from public-key cryptography is to implement it into your users’ phones. Our solution, for instance, comes as a mobile SDK and a white-label authenticator app. When implemented into an organisation’s app or rolled out, our public-key cryptography and authentication protocol effectively turn the users’ phones into secure hardware devices.
The untapped potential of biometric authentication and PIN codes
While public-key cryptography turns the users’ phones into strong possession-based factors, they also enable organisations to securely leverage user-friendly biometrics or PIN codes to establish user presence.
Many organisations already benefit from the user-friendliness of these factors. Unfortunately, the factors’ potential security impact remains untapped because of how they are deployed. Our CTO Roel Peeters wrote an article about what the wide array of potential weaknesses of both biometrics and PIN codes are and how organisations can avoid them. |hyperlink|
Balancing security and usability with public-key cryptography
Public-key cryptography is the critical ingredient to strike a perfect balance between security and UX in authentication. It makes authentication methods that cause friction obsolete and bolsters the security impact of low-friction authentication factors.
If embedded in the users’ phones, it crear public-key cryptography effectively leverages and also leverages native biometric factors stored in the phones’ secure hardware.
This also guarantees that the legitimate user has used a legitimate device to log in or confirm a transaction. In other words, it ensures non-repudiation of all authentication and transaction attempts.
Public-key cryptography improves UX when you implement it into your users’ phones. Additional hardware tokens might increase security, but they nullify public-key cryptography’s potential positive usability effects. Find out how you can embed public-key cryptography into your app and provide secure and frictionless authentication.