True Multi-Factor Authentication

-

True Multi-Factor Authentication


   Multi-Factor Authentication has become very normal these days for high secure websites. Definitely, a much better solution compared to just username and password combinations. But, in certain scenarios, MFA is not really MFA! First, let's look at the current state of the different MFA options available.

1) SMS / E-Mail / Authenticator based code / link.

2) Hardware tokens such as YubiKey!


When I lose my mobile which has my SIM card, EMail application, Authenticator - MFA scenario 1 fails. But at least the attacker was not able to compromise my accounts until I lost my mobile phone or unless the hacker is a shadow in the vicinity.

Similarly with hardware tokens.


Here are some suggested alternate scenarios or possible future enhancements for the tech industry:

1) Voice-based speaker recognition

2) Facial recognition like Windows Hello and Mobile Phone unlock


Now combining the above factors with traditional MFA can significantly help. For example, an automated voice call to the user's mobile number and an automated voice bot asks the user to utter a sequence of random words on the phone. Now, some automated voice recognition software recognizes or denies the user.


Let me put this concept into a clearer perspective.

User-A is logging into the banking website https://www.securebank.com, enters the correct username and password. The next web page shows a random but unique combination of numbers and letters get displayed. For example "A1B5C8". If multiple mobile numbers are registered, the user gets to pick the mobile number on which the user would like to receive the phone call. Now the user receives a phone call, an automated bot mentions that the call is for verifying the login with display code "A One B Five C Eighth" if the user agrees to proceed, the automated bot requests the user to mention some random words like "Wednesday Sunny Bright Apple January". Now the user would repeat these words. If the automated bot recognizes these words and the user's voice, the login would proceed.

In the above scenario, Text to speech and speaker identification technologies are being used. Now, a lost mobile phone or hardware token wouldn't cause problems. Similar technologies can be used for other purposes. Right now with SMS - OTP playing such an important role in day-to-day life, losing a mobile can disrupt our lives and could cause severe security problems for important accounts. 


*: I am thinking of implementing some demo, maybe not exactly what was mentioned above but something close enough. I will be working on this on and off. If anyone is interested in working on this demo project or willing to participate anonymously, please let me know by sending an email to kantikalyan AT gmail DOT com mentioning "True MFA" in the subject. I will create an email filter and respond when appropriate. Or even if you further brain storm some ideas, you are welcome to contact me.



True Multi-Factor Authentication

Comments

Post a Comment

Chime in!

Popular posts from this blog

Multi-part Upload to S3 programmatically in .Net using C#

-
  Multi-part Upload to S3 programmatically in .Net using C# Uploading large files or a batch of thousands of files or continuous backup into S3 can sometimes be problematic using AWS Console. Apart from Storage Gateways, another easier solution is to write just a few lines of code to enable this. Files can be up to a maximum of 5TB in size. But remember that a maximum of 10,000 parts is allowed. You can use other logical scenarios such as based upon certain conditions uploading to a specified bucket or prepending a prefix etc... This blog post specifically shows and discusses some code on how to upload a file as smaller chunks and re-assemble it on the server. This blog post also discusses some useful related functions. The following are the requirements: - A user with programmatic access. Can be created in IAM console and enabling programmatic access. Just download the CSV file, write some code to read the 3rd and 4th columns from the second line in the CSV. These are the SecretKey an
Read more

Interception using NInject

-
  Interception using NInject      NInject is a DI (Dependency Inversion) container. NInject can be used to inject classes and obtain instances of classes. Interception allows method invocations to be intercepted such as before a method call and after a method call. This is useful for logging, exception handling etc... There are several use cases. This blog post just shows the overall concept. The use cases can be handled if the concepts are understood. The following NuGet packages need to be installed: Ninject.Extensions.Interception.DynamicProxy Ninject.Extensions.Interception The IInterceptor interface can be implemented. This interface has only one method Intercept with the following signature: Intercept(IInvocation invocation) The parameter invocation has several properties with information regarding the target method, parameters being passed etc... invocation.Proceed() can be used for invoking the target method, even the result can be obtained. Wrapping this in a try..catch block
Read more