Web Authentication

Top Six Hurdles in Implementing Phone-based MFA

December, 16, 20216 min Read

Multi-factor authentication, popularly known as MFA, is considered a superior authentication protocol for enhanced account security. However, there are practical challenges that prevent its widespread uptake

MFA is an authentication technique that is used as an additional layer of security for enhanced user account protection. It goes beyond the first-degree of authentication - typically a username and password - that most consumer-driven businesses have.

MFADepending on the industry and the applicable regulatory or compliance needs, MFA can be used in several variants such as:

  • Simple OTP (one-time password) to verify that the user possesses the phone number or email address shared for verification.
  • A passive check based on intelligence collected around a PII.
  • An instant video verification.

In recent years, more and more organizations are moving towards a combination of active and passive MFA. This allows them to passively identify the associated risk based on an anchor, generally a phone number, and then actively challenge the user via an OTP to determine possession. This technique is becoming popular as it serves businesses well and allows them to play into the passwordless strategy that the world is moving towards.

Benefits of phone-based MFA:

Phone-based signals often correlate strongly with fraudulent intent. As a result, they are extensively used for authentication purposes. Some of the signals that are typically used to ascertain intent for account takeover, new fake account creation, and similar attacks include:

  • SIM swap
  • Porting history
  • Deactivation event

Additionally, data from telecom carriers collected at the point of registration such as Name, address, etc are used to fulfill strong authentication requirements (SCA).

Flaws in phone-based MFA:

Despite its strength in authentication, MFA implementation faces a number of hurdles as outlined below:

1. Data:

Phone data that correlates with fraudulent intent is not ubiquitous. Given the regionalization of telco carriers, hundreds of partnerships with multiple telco carriers are needed to get access to such data, which can often take years of effort.

Telco carriers are not always sophisticated with their data pipelines. Hence, even with an agreement in place, it may not always be possible to get the information without substantial and years-long efforts from telco carriers to upgrade their systems.

2. Cost:

Given the effort needed by the telco carriers to make the required data available directly from them, the data is almost always expensive. This leads to lower transaction volumes resulting in fragmented understanding of the end user. Since the consumer companies orchestrate calls to these vendors, more often than not these vendors can’t accurately predict the true risk associated with the end-user. This is a loss-loss situation for both carriers, vendors, and consuming companies.

3. Regulation:

It plays a substantial role given the data being dealt with is a PII (personally identifiable information). Some of the laws that limit ubiquitous usage of data are:

  • RTBF - The Right to be Forgotten in GDPR (EU) prohibits any vendor from using an end-user's personal data into the mix to identify fraud.
  • Do Not Sell My Information - This stops a telco carrier from sharing any data, whatsoever, on an individual. Sophisticated fraudsters use this technique to evade identification.
  • Data Regionalization - While this is not as much a burden as the first two, the inability to centrally cross-reference data creates a significant hindrance to identification of fraudulent intent. To top this, several other countries such as India and Australia are moving towards their own data localization laws.

4. Carrier Dependency:

The dependency on carriers both for data and sending OTP has two issues:

  • Data Availability - Companies are at a mercy to the throughput limits set by carriers when it comes to passive checks. Because most carriers depend on legacy systems, the rate is often far lower than the demand. This can result in restricted ability to verify only a portion of the incoming traffic.
  • OTP deliverability - OTPs are delivered via a web of carriers. The deliverability of an OTP (especially mobile) for verification purposes depends on multiple factors:
      • Network issues or delays for each carrier in the process.
      • End-user device issues
      • Current situation of the consumer to be able to enter the OTP

5. Customer Sentiment:

Consumers of several countries, especially in the EU such as Germany, are extremely cautious about using phone numbers for signing up for new digital accounts. This reluctance of consumers can prevent companies from understanding what good user behavior looks like, thereby creating opportunities for fraudsters to hide into the mix.

6. Telco Reluctance:

Although making data available for fraud identification and prevention purposes is a great monetization tactic for telecom carriers, the number of breaches, general consumer sentiment around privacy, and the ever-tightening privacy laws have made more and more telecom companies skeptical about this business. This has also contributed to the data fragmentation issue.

These challenges to implementing phone-based MFA are real, which make it a costly and time-intensive proposition. 

Protect the sanctity of user accounts

The sanctity of users’ digital accounts cannot be compromised. Digital businesses, therefore, need a solution that can help them protect user accounts quickly from evolving attack tactics, without disrupting their digital experience. While phone-based MFA is still a valuable tool in fighting fraud, it is not a silver bullet to solve all problems with user authentication. Rather, it can be complemented with a solution that provides a dynamic, flexible approach.

Arkose Labs leverages its network data to assess the underlying user intent, which eliminates dependence on third parties and speeds up the authentication process. Further, analysis of hundreds of device parameters combined with advanced machine learning models helps identify and stop fraudsters. Based on real-time risk assessment, incoming users are presented with appropriate 3D challenges. Good users may not even see them and proceed with their onward digital journeys, whereas bots and automated scripts fail instantly. Persistent, malicious humans face a non-stop stream of challenges that keep increasing in volume and complexity. This targeted friction wastes the time and effort of the attackers and bankrupts the business model of fraud, forcing attackers to give up and move on.

To learn more about Arkose Labs’ cost-efficient and user-centric approach to fighting fraud, book a demo now.