Biometrics can help solving 2FA flaws

Two-step authentication or two-step verification (2FA) has become the identity verification system of choice for many organizations. However, it is a method that creates friction with the end-user, needs a learning curve and rises security concerns. Biometrics can help solve these issues.

Nowadays, a most widely used identity verification system is the is two-factor authentication or two-factor verification (2FA), which uses one-time access codes (OTP) sent by SMS (short message service) to authenticate banking and ecommerce transactions.

It may be perceived as an easy and quick method of authentication, but this is not entirely true. Besides, as it relays on SMSs to deliver OTPs, is not as secure as it should be expected.

These are some of the reasons that more and more companies are adopting biometric authentication as a second authentication factor to validate transactions and all kinds of operations.

Let’s see why, and how a biometric solution can help in solving these issues.  

UX FRICTION

The two-factor authentication is a system through which, when the user logs in, the system requests a second verification factor, usually through an SMS or an email, to confirm that the user is truly the person who is accessing the account or service.

Generally, this procedure creates friction with the user and is very time consuming, because it requires the user to exit the app to get the code sent via SMS, or via email.

On the other hand, as there is no standardized procedure, each company implements 2FA in different ways. Users thus must learn different methods of authenticating their identity for different platforms.

This can be very unfriendly for some users, especially those not proficient in digital environments.

SMSs ARE VULNERABLE

First, SMSs were not designed as security tools:

  • Hackers can buy users’ identity data on the dark web and intercept OPT’s sent by SMS.
  • They can also use malware bots to get access to users’ devices and steal their information, catch OTPs and authentication codes.
  • SIMs can be swapped. Portability frauds, where hackers impersonate a customer and requests to port the customer’s phone number to a new device they control are amongst the most popular.

Some 2FA applications use biometrics as one of the identification credentials of their authentication system. For example, in some banking apps the user accesses the service with a password, and then associates a biometric pattern with that password, such as his fingerprint or his face, which is stored in the smartphone.

The biometrics in these cases will be activating the stored password to access the service. But the password can be hacked, and it is possible to associate it to a different biometric pattern on a device other than the user’s.

Some 2FA applications use biometrics as one of the identification credentials of their authentication system.
Some 2FA applications use biometrics as one of the identification credentials of their authentication system.

DEVICES CAN BE COMPROMISED

In addition to SMSs vulnerabilities, devices can also be a weak link in the identity authentication process.

The Verizon Mobile Security Index (MSI) 2022 Report reveals that 45%  of the companies surveyed suffered a security compromise involving a mobile device in 2022,  leading to the loss of data, system downtime or other negative outcomes.

Technical attacks include malware and Trojans that use some of the smartphone’s OS accessibility features, such as “enable unknown sources” or “developer options” to gain remote access to the device, increase user privileges, and install malware on targeted systems.

Identity frauds related to devices also include:

  • Call Forwarding: The hacker poses as a customer claiming that his/her device has been stolen or broken, and requests that all calls and messages be redirected to a different number.
  • Whaling Phishing: The cyber-delinquent poses as a fraud team representative and asks his victim to confirm a fraudulent transaction. The hacker tells the victim that a security code will be sent via SMS to complete the process, and then launches a password reset that generates an OTP sent via SMS that the victim communicates to the scammer.
  • Malware: Using phishing or social engineering hackers convince a victim to download malware, such as FluBot, TeaBot, or ShakBot, onto their device. This malware gives the hacker access to the victim’s personal information, allowing them to intercept SMS messages.

A BIOMETRIC SOLUTION THAT SOLVES 2FA FLAWS

B-FY is a biometric two-factor authentication solution in a single step, making use of the most secure combination of elements that exists: something the person has (the smartphone) and something the person is (their biometrics). It is also an omnichannel solution that for the first time it unifies physical identification with telematic identification. It’s very simple to use and frictionless.

As our main concern is protecting people and their identity, B-FY’s system does not require passwords that could be hacked or stolen and does not store any of the user’s biometric patterns.

When a company hires our services, our code (currently QR) must be integrated into each of the services where the system is to be put into operation. On the other hand, the company must integrate the B-FY library into its mobile app (employee app, customer service app, or both), turning its app into the access key to all the company’s services.

Once this is done, the people to be identified carry out a simple registration process and become part of this new identification service.

In this process, the person is only asked for their email and phone number, and with that B-FY sends confirmation messages to email and mobile.

From there, every time a person wants to access the company’s services, they simply must read the dynamic B-FY code that appears in the service they want to access with the company’s app, and thus identify themselves biometrically with their phone. If the biometric identification is not successful, access will be denied.

Do you want to know more? Request a free demo here.

Manuel Losada

Manuel Losada es Director Product Management de B-FY.