For years, passwords alone have been insufficient to protect accounts. We now know that multi-factor authentication (MFA) is the recommended mitigation, but even so, not all MFA solutions are created equal.
Forter’s 2019 Fraud Attack Index states that account takeovers have risen by a staggering 45 per cent from 2016 to 2018, which is a direct result of increasing attacks ranging from sophisticated phishing scams to man-in-the-middle (MitM) hacks. Many of today’s MFA solutions are unable to defend against such ploys. In fact, one of the more widespread MFA methods used today, SMS messages, are now subject to a recent and ongoing flood of mobile phone-based hacks called “SIM swapping” or “SIM jacking”.
A SIM swapping attack occurs when an attacker convinces a victim’s mobile phone carrier to port the victim’s mobile phone number to a device the attacker owns. At this point, they can receive phone calls and text messages intended for the victim. The attacker will then use this to gain further access to any account that is protected using the victim’s mobile phone number. This can include anything from an email account to other online accounts ranging from social media to banking and even cryptocurrency.
One of the key factors allowing this to happen so easily is that Australian mobile carriers are required to allow a customer to move their phone number to other carriers easily. For customers who have had phones lost or stolen, or who want to upgrade to a new phone, they offer hassle-free porting of mobile phone numbers to other devices. This provides convenience for the customer but has introduced a serious attack vector.
A new variant of SIM swapping is on the rise. In some of the more recent attacks, we’ve seen perpetrators take control of a person’s mobile phone number — thereby intercepting their text messages and one-time verification codes — to gain access to payment systems, banking accounts, cryptocurrencies and even loyalty programs. Billions of dollars are now being stolen annually due to SIM swapping attacks alone.
Compounding this problem is that many sites offer account recovery using phone or text messages and this enables hackers to gain access to accounts without even stealing passwords. Mobile authentication apps that receive notifications or generate one-time codes are safer but are still susceptible to social engineering and MITM attacks.
How WebAuthn provides secure and strong authentication
The W3C Web Authentication (WebAuthn) open standard provides a safe and easy phishing-resistant login method to protect users from these common account takeovers. This is because it’s based on asymmetric cryptographic standards in which a public-private key pair is generated, in place of a password, and the private key is stored in hardware (either in the secure enclave of a phone (as with biometrics) or in a portable security key).
Phishers can’t harvest the private key as it’s never sent over an internet network, and there are additional security and privacy features that check for other dependencies such as site origin checking and validity. This means that users can’t be accidentally tricked into logging into their accounts on typosquatting domains — you know, the ones that use common misspellings of the site name. WebAuthn-compatible authenticators will only respond to the exact domain that was used to register a credential.
WebAuthn is incredibly easy to use – users just need to plug in a hardware security key and touch it, or otherwise use a biometric sensor that’s built into their PC or phone. A PIN can also be used for additional security.
WebAuthn works in conjunction with the FIDO Client to Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key. The two standards work in tandem, making it easier for web developers as they only need to concern themselves with the WebAuthn specification.
Integrating WebAuthn into a site or mobile app
As the new global standard for best-in-class web authentication, the industry has already made great progress building WebAuthn support into key platforms and browsers. Today, Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, and Brave browsers have WebAuthn support. The Windows 10 and Android platforms have WebAuthn support as well, with iOS underway.
Web services and identity providers such as IBM Security Access Manager (ISAM), Daon, Avatier, Nok Nok S3 Authentication Suite, SingularKey, Okta, OneLogin, Ping Identity, Google G Suite and Microsoft Office 365 using Microsoft Azure Active Directory have already integrated WebAuthn support.
Implementing the basic registration and authentication flows for WebAuthn authentication — either via security key or biometric — is straightforward. However, in order to provide a solution that will be widely adopted and used, it is important to offer support to online services to help them implement WebAuthn and we already offer this through our developer program.
An environment that doesn’t use passwords or SMS for authentication or recovery methods introduces several different user stories that need to be understood. Having a clear plan for account recovery will help to ensure that there is no need to fall back on SMS or password-based solutions.
Transitioning completely off phone numbers might take some time, but the interim risks associated with SMS can be avoided by giving users the option to authenticate with WebAuthn security keys. This should also be supplemented by supporting alternate authentication and recovery flows, encouraging users to opt-out of linking their phone number as part of the authentication or recovery process.
Finding success with WebAuthn
Removing SMS-based authentication and leveraging WebAuthn credentials will considerably improve the user’s online experience while reducing the opportunity for fraud. Given the advancements in and adoption of industry standards, now is the time for online services to implement WebAuthn solutions. Working out the user flows and adoption strategies ahead of time is critical to moving users away from SMS-based MFA solutions successfully.