True Multi-Factor Authentication

True Multi-Factor Authentication


   Multi-Factor Authentication has become very normal these days for high secure websites. Definitely, a much better solution compared to just username and password combinations. But, in certain scenarios, MFA is not really MFA! First, let's look at the current state of the different MFA options available.

1) SMS / E-Mail / Authenticator based code / link.

2) Hardware tokens such as YubiKey!


When I lose my mobile which has my SIM card, EMail application, Authenticator - MFA scenario 1 fails. But at least the attacker was not able to compromise my accounts until I lost my mobile phone or unless the hacker is a shadow in the vicinity.

Similarly with hardware tokens.


Here are some suggested alternate scenarios or possible future enhancements for the tech industry:

1) Voice-based speaker recognition

2) Facial recognition like Windows Hello and Mobile Phone unlock


Now combining the above factors with traditional MFA can significantly help. For example, an automated voice call to the user's mobile number and an automated voice bot asks the user to utter a sequence of random words on the phone. Now, some automated voice recognition software recognizes or denies the user.


Let me put this concept into a clearer perspective.

User-A is logging into the banking website https://www.securebank.com, enters the correct username and password. The next web page shows a random but unique combination of numbers and letters get displayed. For example "A1B5C8". If multiple mobile numbers are registered, the user gets to pick the mobile number on which the user would like to receive the phone call. Now the user receives a phone call, an automated bot mentions that the call is for verifying the login with display code "A One B Five C Eighth" if the user agrees to proceed, the automated bot requests the user to mention some random words like "Wednesday Sunny Bright Apple January". Now the user would repeat these words. If the automated bot recognizes these words and the user's voice, the login would proceed.

In the above scenario, Text to speech and speaker identification technologies are being used. Now, a lost mobile phone or hardware token wouldn't cause problems. Similar technologies can be used for other purposes. Right now with SMS - OTP playing such an important role in day-to-day life, losing a mobile can disrupt our lives and could cause severe security problems for important accounts. 


*: I am thinking of implementing some demo, maybe not exactly what was mentioned above but something close enough. I will be working on this on and off. If anyone is interested in working on this demo project or willing to participate anonymously, please let me know by sending an email to kantikalyan AT gmail DOT com mentioning "True MFA" in the subject. I will create an email filter and respond when appropriate. Or even if you further brain storm some ideas, you are welcome to contact me.



True Multi-Factor Authentication

Comments

Popular posts from this blog

Multi-part Upload to S3 programmatically in .Net using C#

How to install Kaldi-ASR on Ubuntu 18