A Primer on Two-Factor Authentication

The gist of it is this: If you have to use something besides just a user-name and password to get into an account, you’re most likely using two-factor authentication to get into it. Most often you’ll see this happen when you log into a banking app or use an app like Uber for the first time. It usually comes in the form of an SMS confirmation to make sure that you’re the owner of the phone number that was registered with the account. Some banks will give you a digital token generator (much like Google’s Authenticator app) that generates a series of numbers every minute or so that you must use to log into your account. Other applications use a clever automatic detection system that calls your phone number and picks up when the call enters to tell that you own your phone. In some instances, two-factor authentication could even involve biometrics, like a fingerprint or your face. Some of these methods are used in lieu of a password for doing certain things like unlocking your phone. All of these methods were invented to accurately prove that you are you.

The Fly in the Ointment

The biggest flaw of modern-day authentication methods is that they do not take into account the fact that human beings are using them. We always find new and creative ways of misusing our data, and no security measure that exists today can really compensate for that. In many cases we fall for social engineering schemes that get us to give away crucial information to people attempting to access our accounts. There’s also the risk of theft. If someone steals your phone, they now have a way to receive confirmation SMS messages. If someone steals your token, they can authenticate your bank account. Fingerprints? They are also vulnerable. So is facial recognition.

A New Frontier with Its Own Caveats

In the autumn of 2017 a group of mobile carriers in the United States announced that they will release a new form of authentication that should address all the flaws listed above. While this all might sound hunky dory, there aren’t a whole lot of details on exactly how this new authentication method would work. The group, known as the Mobile Authentication Taskforce, said that their new method would “reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are.” This sounds a bit like they would track movements and data patterns from mobile users and use that to create a “fingerprint” of their identity. If there’s too much of a deviation from this pattern (e.g. your phone is suddenly in London and doesn’t log into the websites you typically log into), then it would be safe to presume the identity of the user has been compromised. While this might sound exciting to some, it certainly causes concern in others who are concerned about privacy and their ability to have control over their data. Many folks might not be comfortable with their mobile carriers tracking their every movement and all of the data that they send over the Web. And what if a government wants to subpoena records of this data? What side are you on? Do you believe that the MAT’s new authentication method is a step forward in stopping hackers, or are the privacy concerns enough to turn you off to the idea? Tell us what you think in a comment!