What Is Secure Customer Authentication (SCA), how is it different from 2FA, and how does it work?
Every day, companies fall victim to a ransomware attack or suffer a breach of their security. These incidents do not only harm the reputation of these organizations, cyberattacks can also cause a disruption of their business, lead to regulatory fines, and simply distract businesses from their core business. Most of these account takeover (ATO) attacks are initiated by stealing login credentials through phishing, dark web databases or social engineering. These can easily be avoided by applying Secure Customer Authentication (SCA). In this article we will explain what two-factor authentication is, how it works and how you can implement it. And we will make a comparison between 2FA and SCA.
What is two-factor authentication?
Two-factor authentication (2FA) is a security measure that provides an extra layer of protection for online accounts and sensitive information. It involves the use of two different factors to verify a user’s identity. Typically, the first factor is something the user knows or is, such as a password or PIN (the user knows) or a fingerprint or face ID (the user is). The second factor is something the user possesses, like a mobile device or a security token, that generates a One-Time Password (OTP). To authenticate, the user must provide both factors, adding an additional hurdle for unauthorized access. Two-factor authentication significantly enhances security by enforcing users to enter both security elements, mitigating the risks associated with password breaches and making it harder for malicious actors to gain unauthorized access to personal or sensitive data. As a result, accounts with passwords found on the dark web can no longer be used.
Why do we need an extra layer of security for user authentication?
Cybercrime continually evolves and becomes more sophisticated, and so do the consequences of cyberattacks. A recent report found that “the cost of data breaches to businesses has seen steady increases, as changes in the workplace and more advanced penetration methods embolden cybercriminals. In 2022, data breaches cost businesses an average of USD 4.35 million – up from USD 4.24 million in 2021.”
Therefore, the methods aimed at preventing cybercriminals from stealing and/or compromising money and data also need to evolve. Once upon a time, a simple password was sufficient to effectively secure an online account. This is no longer the case. You will have noticed that even accounts only using Single-factor authentication (SFA) will require passwords to contain a minimum number of letters, numbers, and characters. And if they don’t even do that, steer clear!
Often it is suggested for users to use password managers, which can generate and store complex passwords for users. While such tools are convenient for users, they still use SFA with all their flows in their login mechanisms. On top, these password managers become honeypots for hackers, and have been breached multiple times in the past.
As passwords are now so much easier for cybercriminals to access, it makes sense to require a second way to check that the person with the password really is who they claim to be. 2FA effectively requires a second, randomly created password, a One-time password (OTP) to strengthen the security of an account.
How does 2FA work?
Two-factor authentication uses a combination of two identifiers. The first factor can be a password, a PIN, or some biometrics like the fingerprint on your mobile device. The second factor is a password that is valid for a limited period of time and can only be used once (hence OTP or One-Time Password). This OTP is created from a unique secret, linked to the user, and a dynamic event such as time (TOTP) or a (hashed) number (HOTP). Both the server and the client have this information and use an algorithm to generate a number that is entered in the OTP field. (That’s why this method is called symmetric encryption.) If the number generated by the server, and the one entered by the user match, access is granted. There are various ways that the second factor can be delivered to the end user, some more secure than others.
What factors can be used for 2FA?
- SMS or e-mail OTP: Using your mobile phone as a second factor has some advantages, such as increased portability and mobility. Mobile devices are highly portable and are carried by users almost everywhere they go. This portability makes them a convenient platform for implementing 2FA. Users can access their accounts and complete the authentication process from virtually any location, adding an extra layer of security even when using untrusted networks or devices. The first factor can be the PIN of the phone itself, although this is not advisable since the service cannot control whether the user uses a Pin on their phone, and sometimes the SMS can be readable from the home screen. The second Factor (the One-Time Password) is generated by the server and then sent to a phone or e-mail address of the user. The code must then be manually entered by the user. Their use is becoming less popular as these carriers (SMS or e-mail) are relatively easy to hack by SIM Swapping or intercepting the unencrypted messages and delays in the delivery hampers user experience. For SMS, the cost of constantly sending SMS’s is totally unpredictable.
- Voice OTPs and phone call-backs: these are automated phone call-backs. A user will receive an automated phone call when they attempt to log in. This will either ask them to approve or deny the login attempt or give them a one-time passcode to enter. The problems with this method are similar to SMS OTP, and with social engineering on the rise these methods open additional possibilities for hackers.
- Authenticator apps/software tokens: users can download and use dedicated authenticator apps for login approval requests. The user then needs to link the authenticator app with the application (usually by scanning a QR code), which results in a unique secret being created and shared between the user and the server. It has all the advantages of SMS OTP, but the OTP is generated on the client side, so it is more reliable than SMS. The app itself can be protected by a PIN or with the device biometrics, making it more convenient to receive the OTP. This method is becoming increasingly popular due to the low cost for application providers (as compared to OTP SMS), but sometimes it’s annoying for users to find the correct service within the authenticator application, especially if you have multiple accounts protected. Also transfer and recovery can be cumbersome, since it’s best not to store the secrets on another platform. Hackers are using this loophole and malicious authenticator apps are on the rise, trying to lure and steal user credentials and secret codes needed to generate the OTPs. Due to the symmetric encryption, these can be easily copied and used, without the user even being aware.
- Hardware tokens: these include things like key fobs or USB devices that generate OTPs. This is a more secure way to generate OTPs, since the secret on the client side is within a hardened security element. Unfortunately, the tokens can obviously get lost, forgotten, broken, run out of batteries, and so on. They can be frustrating for the user to use and expensive for a company to produce and replace.
Implementing 2FA for extra security
Two-factor authentication can be used in combinations that suit the situation, company, user, and so on. What might be the best option for one system might not work well for another, so 2FA implementation should be approached on a case-by-case basis. Some companies prefer to provide their own authenticator apps: others might be better served with a third-party solution.
User experience must be considered: too long-winded or complicated options will cause frustration and alienate users. No one wants overburdened employees or potential customers abandoning login attempts in favor of competitors with more customer-friendly processes.
On the other hand, a robust security system that is relatively simple to navigate will reassure users that their data is in safe hands and help create greater brand or company loyalty.
Two-factor authentication helps users take more control over their account security
Hackers typically go for the low-hanging fruits. Adding a second factor, which changes dynamically, requires costlier hacking techniques. Accounts that have this are less prone to attacks. However, if the value of the target increases (e.g., if the user works for an interesting company, the service has monetary value, or the victim is wealthy enough for extortion through ransomware or blackmail to be beneficial), hackers will put additional effort in their attempts by relying on phishing or social engineering. In this case, they will try to lure the target into giving them the OTP that the second factor generates. Typically they let them enter this One-Time Password on a fake website, or tell it to a fake help desk agent, so the hacker can use this on the actual website.
To avoid this, advanced techniques have been developed, resulting in Multifactor Authentication (MFA).
2FA is good, but MFA is better
While 2FA is already a good step forward to secure users who want to access applications or data, it is not yet a failsafe solution. At TrustBuilder, we recommend using multifactor authentication (MFA) (also called SCA Secure Customer Authentication in consumer scenarios) for the following reasons:
- Enhanced Security: MFA adds additional layers of security compared to 2FA. While 2FA relies on two factors (usually a password and a verification code), MFA can incorporate additional factors such as
- behavior (where you usually login from, how you type, hold your device…)
- device binding with asymmetric keys (ensuring that the secret is linked to a certain device and can only be used on that specific device)
- Out-of-Band encrypted communication
- Challenge/Response with QR codes which add an additional element to the secret used to generate the OTP so that in the OTP the server knows that the original request originates from this server
- Continuous Adaptive Trust (CAT) will continuously assess the risk of a session being hacked and adaptively evaluate the connection…
This multi-layered approach makes it significantly more difficult for unauthorized individuals to gain access to an account or system, as they would need to bypass multiple security measures.
- Push notifications: a login attempt will lead to an automated message, for example, to alert the account holder. This can be set up for every login attempt or only when unusual activity is detected. It may or may not require the user to do something. It can hold additional information about the transaction so the user is informed of what he’s doing and from which device. This method (What You See Is What You Sign or WYSIWYS), makes the user aware of the process and is a good countermeasure against Man-In-the-Middle (MITM), or Man-In-the-Browser (MITB) attacks, where hackers use social engineering, phishing, and DNS relay attacks to try and convince the user that they are entering the actual website instead of a fake one.
- Greater resilience to attacks: MFA mitigates the risks associated with various types of attacks, including phishing, keylogging, and credential stuffing. Even if an attacker manages to obtain a user’s password through one of these methods, they would still be unable to gain access without the additional factor required by MFA. This makes it considerably more challenging for attackers to compromise accounts or systems.
- User convenience: Once the initial setup is complete, the additional factors used in MFA are automated or seamlessly integrated into the authentication process. A good MFA solution will automatically assess the risks in a connection, and limit the number of interactions the user needs to do. This reduces the burden of constantly entering verification codes, making the overall user experience smoother and more efficient.
- Regulatory compliance: MFA is often a requirement for compliance with various industry regulations and data protection standards. Organizations handling sensitive data, such as financial institutions or healthcare providers, are typically required to implement strong security measures. MFA provides a robust mechanism for meeting these compliance requirements and helps safeguard sensitive information from unauthorized access.
- Future-proofing security: As technology advances, new vulnerabilities and attack vectors emerge. MFA offers better future-proofing capabilities compared to 2FA. The ability to incorporate multiple authentication factors allows organizations to adapt to evolving threats and employ more secure authentication methods as they become available. This ensures that security measures remain effective and up to date, even as the threat landscape continues to evolve.
These reasons collectively highlight the advantages of MFA over 2FA, emphasizing its stronger security, resilience to attacks, user convenience, regulatory compliance, and ability to adapt to future security needs.
Why use TrustBuilder’s MFA solution
When comparing 2FA to MFA, it is clear that MFA trumps 2FA. But within the field of multifactor authentication solutions, there are many differences between the available solutions. Among the many providers in the market, TrustBuilder’s MFA solution emerges as a standout choice for organizations aiming to fortify their security posture. Here are some of the reasons why TrustBuilder’s MFA solution is the best option for organizations to protect themselves against hackers and cyberattacks.
- Unmatched security: TrustBuilder’s MFA solution offers a highly secure authentication mechanism that goes beyond traditional username-password combinations. By incorporating multiple factors, such as one-time passwords, biometrics, smartcards, and more, it ensures an additional layer of protection. This multifaceted approach significantly reduces the risk of unauthorized access and strengthens the overall security posture of organizations.
- Seamless user experience: While security is paramount, a seamless user experience is also essential for the successful adoption of any security solution. TrustBuilder understands this need and provides an MFA solution that offers convenience without compromising security. With a user-friendly interface and support for various authentication methods, including mobile apps, browser authentication, desktop app, as well as support for third-party authentication methods, allowing Bring Your Own Authenticator (BYOA), TrustBuilder ensures a frictionless authentication experience for end users.
- Scalability and flexibility: TrustBuilder’s MFA solution is designed to meet the evolving needs of organizations of all sizes. Whether it’s a small startup or a multinational corporation, TrustBuilder can scale to accommodate growing user bases and expanding infrastructures. The solution seamlessly integrates with existing systems, including cloud services and legacy applications, making it highly adaptable and compatible.
- Advanced analytics and risk-based authentication: TrustBuilder’s MFA solution incorporates advanced analytics and risk-based authentication, allowing organizations to dynamically adjust authentication requirements based on risk levels. By analyzing contextual factors such as user location, device information, and behavior patterns, TrustBuilder’s solution enables organizations to detect and prevent potential threats proactively, effectively mitigating the risks associated with cyberattacks.
Keeping your organization on the right side of security is the task of anyone involved in preventing cyberattacks. TrustBuilder’s MFA solution is a good way of setting up fences that keep cybercriminals out.