Mobile banking is on the rise. And so are cyber breaches, despite PSD2/SCA and other security regulations. A large portion of these cyber breaches are caused by flawed authentication setups. So, we’ve developed these 7 best practices for secure mobile authentication.
In this article, we’ll discuss:
- why there are more account takeovers than ever;
- what the most common cyber attacks are;
- why legacy mobile authentication fails to provide sufficient protection;
- seven best practices you can apply to make mobile authentication more secure; and
- how we help financial institutions offer the best protection and user experience.
Mobile banking is the new norm
Over 2 billion people made transactions on their mobile phones in 2022. According to Juniper, that number will likely rise to 3,6 billion users by 2024.
Several factors drive this growth:
- The rise of digital-only banks that provide online or mobile-only accounts that typically do not have branches. Those banks enable customers to manage their accounts online and access their funds with a debit card.
- The ongoing emphasis on digital transformation by the established banks across the industry offering online and digital services, with the backend changes to support these services.
More account takeovers than ever
As the number of mobile banking transactions and customers grew, so did the number of successful account takeover attacks.
Fraud prevention platform Sift, reported a 71% increase in account takeover attacks in the first half of 2022 compared to the same period in 2021.
The international market intelligence company Aberdeen echoed these findings. They uncovered that 84% of organisations in the financial services industry had online users who experienced a successful account takeover. The same study reported organisations lost 8.3% of their annual revenue because of account takeovers.
There are plenty of indirect costs too. Account takeovers chase away customers. Nearly 33% of banks lost customers to their competitors; they also have to deal with reputational damage, increased scrutiny from industry regulators and loss of customer and employee data.
The most common attacks
These account takeovers are caused by a variety of well-crafted cyber attacks. The most common cyber attacks banks and fintech companies fall prey to are:
- Credential stuffing and brute-forcing attacks. Credential stuffing is when an attacker uses lists of often stolen passwords to take over accounts. Passwords are easy to come by. Attackers can access 12,5 billion passwords and 3,3 billion unique username-password pairs. A brute-force attack or guessing consists of an attacker guessing a high volume of possible login credentials to get access to an account.
- Phishing attacks. Phishing is a social engineering attack used to steal user credentials, like login data or banking card numbers. Bad actors often use emails with a bad link that will download malware or redirect users to a website that appears legitimate but is constructed to capture credentials.
- Man-in-the-middle (MITM) attacks are still essential in a hacker’s arsenal. A MITM attack is an attack where the adversary positions himself in between the user and the system to intercept and alter data travelling between them.
- MFA fatigue attacks, also known as push notification attacks, push fatigue attacks or MFA prompt-bombing, have seen a resurgence in 2022. These attacks grew 33%, accounting for approximately 29% of cyber breaches. Major cyber violations committed by the Lapsus$ and SolarWinds groups showed that fraudsters have become well-versed in using this tactic to circumvent some MFA systems.
- Device theft can lead to account takeovers when the bank app allows ‘eternal’ logins. Eternal login refers to instances where a mobile app gets a refresh token for some time after they log in once. That refresh token enables the user to stay continuously logged in for that time, which allows a thief to access an account if they acquire the user’s phone.
Legacy multi-factor authentication isn't secure
All these attacks have one thing in common: they’re facilitated by faulty authentication systems that rely on passwords and equally flawed or poorly implemented 2nd factors like hardware tokens, OTPs, and push notifications. On top of that, these systems are rarely built on public key cryptography.
Passwords and OTPs are a liability. They’re prone to numerous cyber-attacks and cause 81% of cyber breaches across all industries. To add insult to injury, password-based authentication isn’t built on public key cryptography. That means a hacker can go a long way if they get hold of the password to take over a user’s account.
Phishing, credential stuffing and brute-force attacks are usually executed with compromised usernames and passwords. MFA built on public key cryptography would eliminate the need for usernames and passwords and make these cyber attacks obsolete.
Push notifications are often used to add a layer of security to passwords. But they’re often backed by faulty technology that enables push notification attacks.
The same goes for biometrics. Despite its reputation, mobile biometric authentication is no silver bullet. They need to be correctly implemented to have a significant impact on security.
We suggest these seven steps to make the mobile app authentication experience more secure.
1. Implement public-key cryptography
Public key cryptography ensures that the secret or private key needed to authenticate never leaves the user’s device. The secret isn’t known by the server nor sent over. Even if the server’s authentication database leaks, bad actors can’t impersonate a customer. Public key cryptography reduces the risk of a cybercriminal obtaining a private key.
It also eliminates the necessity for passwords and OTPs. A password is checked against a stored hash of the password saved on the server. If an attacker gains access to the server and password database, they can easily get access to an account.
2. Get rid of passwords.
The weaknesses of passwords are well documented. They cause 81% of all data breaches across all industries. Passwords are susceptible to phishing, social engineering, credential theft, stuffing, guessing, brute-forcing, and other cyber threats. About 12,5 billion passwords are currently compromised.
A password is checked against a stored hash of the password saved on the server. If an attacker gains access to the server and password database, they can easily access an account.
The way customers use passwords exacerbates this inherent vulnerability. The average customer has up to 80 accounts that require a password to log in. While all passwords should be unique, most customers use the same password repeatedly, making it easy for attackers to take over accounts once they’ve compromised a single password.
To counter this, financial institutions require customers to develop longer and more complex passwords, and change passwords more often. This negatively impacts the usability and causes password fatigue, which is stress caused by trying to stay up-to-date with changing password requirements and repeatedly forgetting and mistyping passwords.
To avoid password fatigue, an average user uses the same password
repeatedly, making It easy for attackers to breach accounts once they’ve
compromised a password.
Eliminating passwords makes phishing, credential theft, MITM and
credential stuffing and push notification attacks nearly impossible.
3. Don't rely on one-time passwords
One-time passwords (OTPs) are generated by software or hardware, and usually sent over by SMS. Although they can only be used once when phished, OTPs provide little more security than regular passwords.
One of the potential weaknesses of OTPs is that they can be intercepted or stolen by attackers. If the OTP is sent by SMS, it’s susceptible to SMS hijacking or SIM swapping to redirect the message to a device they control. If sent by email, attackers can intercept OTPs through phishing.
They’re also vulnerable to man-in-the-middle attacks. If the
communication channel between the user and the server isn’t secure or
the user’s device is infected with malware, an attacker can easily
The best way to deal with these vulnerabilities is to delete OTPs from your authentication equation.
4. Use intuitive authentication factors instead
Intuitive authentication factors the way significantly impact security. The most common factors, passwords and OTPs, cause a significant amount of friction and lead to sloppy usage by users, which makes their inherent flaws worse.
So, banks need to rely on user-friendly authentication factors. We recommend banks use the user’s mobile phone as a 1st factor and a biometric as a 2nd factor, with a PIN code as a backup method.
The user’s mobile phone is the logical 1st factor. Unlike regular hardware tokens, a customer carries their mobile phone everywhere. Banks can turn their customers’ phones into secure devices by embedding our mobile SDK, for instance, into the banking app and the phone.
This enables our advanced public-key cryptography to ensure the private key never leaves the user’s device. At the same time, banks only need to store the public key on their server, drastically reducing their attack surface. This turns a user’s phone into a secure hardware login device, making hardware tokens and corresponding server-side HSMs obsolete.
The 2nd factor is biometrics. Biometrics is considered to be the most user-friendly authentication factor by users. On top of that, they provide an extra layer of security if implemented correctly. We’ll get back to that later.
Lastly, a biometric factor requires a fallback method. What if a user has a small cut on the thumb they use to log in? Or if the scanner doesn’t recognise the face it’s supposed to scan? That’s when the PIN code verified through a zero-knowledge mechanism comes into play as a fallback second factor.
5. Biometrics should be native to the user's device
If used correctly, biometric authentication can be a secure way to log in. The issue is that biometrics often are poorly implemented. Some authentication systems use biometrics as a mere front for password-based authentication. Those systems require users to submit a password and a biometric scan when they sign up for the app. This enables users to enter that biometric scan instead of typing a password.
However, the biometric scan simply releases the password to the mobile app, so it can be sent over to the server. It’s essentially password-based authentication with a band-aid. It has no significant impact on security.
Other systems do this correctly but require biometrics to be processed in the authenticator app instead of the phone. The biometrics scans are sent to the authentication provider’s server, which causes GDPR issues and makes the biometric scans susceptible to breaches if the server is hacked.
The most secure way to use biometrics is to use native biometrics. These biometrics are stored in the device’s secure hardware. When a user submits a biometric scan, it’s processed within the phone. After verification, a signature is emitted by the secure hardware. The private key never leaves the hardware, making it impossible to be intercepted. This guarantees that the legitimate user has used a legitimate device to log in or confirm a transaction, i.e. it ensures non-repudiation of all authentication and transaction attempts.
6. Use push notifications wisely
If you allow your customers to log into their accounts on their desktops using mobile authentication, you should be wary of push notification spamming.
Financial organisations sometimes combine passwords with push notifications. The process is straightforward: a customer submits their password and gets a notification asking them to confirm their login or payment attempt.
Push notification spamming is used by attackers when they’ve acquired a password found on lists of stolen passwords. There are currently approx. 12.5 billion passwords that cybercriminals can get their hands on. The hacker uses the password as a 1st factor and triggers a push notification sent to the legitimate user to confirm the authentication attempt.
The cybercriminal can spam the unsuspecting user until they succumb and approve authentication, giving the hacker access to the targeted account. This attack is often deployed at a mass scale, making its 3% success rate significant.
Some cyber experts suggested there isn’t much organisations could do except raise awareness and educate their users. We disagree. Banks have a higher chance of repelling push notification attacks with a mobile authentication system like ours. Your authentication setup should possess these three critical features to prevent push notifications.
- Rate limiting: This feature limits the number of push notifications a user or a bad actor who impersonates a user can trigger. This eliminates the risk of a user being coerced into accepting an authentication request due to an extremely high number of push notifications.
- Your mobile authentication system should be able to detect from which device a push notification is requested and only allow push notification requests coming from a device that’s already been used. This makes it impossible for attackers to impersonate a user from a different device than the user already used.
- The third essential feature is the inability to request many push notifications after the first one has been rejected. A user will, for example, have to scan a QR code after such a rejection.
7. Avoid eternal login
Many product managers implement eternal login or a “remember me” option to relieve their users from authentication friction. The perceived benefit comes at a severe security cost. It increases the risk of unauthorised access if the device falls into the wrong hands or someone gains access to the user’s account.
Instead, we recommend implementing native biometric authentication factors. If well-implemented and combined with QR scanning or safely-implemented push notifications, it enables you to adhere to the stringent security requirements suggested by the EBA, like session timeouts and re-authentication, without the friction caused by OTPs, passwords, etc.
nextAuth's mobile passwordless MFA solution for financial institutions
Our mobile passwordless MFA solution harmonises security with a stellar user experience. It secures your app while eliminating the need for passwords, hardware tokens and one-time passwords.
Combining biometric factors on a mobile phone, backed up by a PIN, is the most frictionless and secure form of passwordless MFA. We chose those methods for various reasons:
- Biometric authentication factors are the most intuitive and frictionless authentication factors. There’s no easier way to log in than pressing a thumb on a mobile phone.
- The second factor is the user’s phone. Using a tool that a user carries around makes sense in terms of security and user-friendliness.
- A biometric factor needs a fallback method that comes into play if the biometric scan fails. We chose to rely on PIN codes as a fallback method.
We developed a patented mobile authentication technology to deliver the strongest possible user and device authentication and prevent account takeovers.
nextAuth also creates a secure communication channel between your financial institution and customers’ mobile devices. This enables you to send real-time customer requests to authenticate sensitive transactions. Their responses are digitally signed, supporting non-repudiation, then encrypted and returned.
Our technology also has the necessary features to reduce the risk of push notification attacks drastically. Bad actors can’t repeatedly trigger rejected push notification requests remotely from an unknown device.
Your institution retains complete control over user registration, independent of mobile networks and SIM cards.
The nextAuth solution can either be implemented into your systems thanks to its mobile SDK or deployed as a white-label authenticator app that allows you to provide a unified authentication experience.