Security in an Insecure World

Using Mobile Messaging for Two-Factor Authentication

Proving identity to access services is becoming increasingly necessary in today’s online world. High-profile hackings of social media and other websites are regularly reported and most of us have a wealth of personal information readily available to identity thieves – cards in our wallet, mail, public records, information saved in our computers and information posted on social networking sites.

Identity theft is becoming increasingly common with one in five Australians reporting having had their identities stolen or had their personal or financial data illegally accessed.

The Australian Debt Study, by Veda in 2012, showed that Australians aged 35 – 49 are the most likely group to fall victim to identity fraud while 18 – 24 year olds are the least likely to report illegal access to their personal or financial data and that almost one in three Australians suffered some form of credit crime.

The Australian Federal Police estimate the cost of identity theft to be $1.6 billion a year. Identity theft and unauthorised access to services carries significant risks and costs for businesses and can result in damage to reputation and brand. It can also be traumatic and costly for customers
causing customers to move to competitive service providers.

Two-factor authentication helps to mitigate the risks of identity fraud and unauthorised access by providing a means of identifying users by a combination of two different factors.

These factors may be:

  1. Something the user knows, such as password or PIN
  2. Something the user possesses, such as a bank card or token device
  3. Something that is inseparable from the user, such as their fingerprint, or iris recognition

An SMS PIN sent to a user’s mobile device serves as an ideal authentication method for “something that the user possesses”, coupled with “something that the user knows”, like a user name.

An SMS PIN can be randomly generated or retrieved from a client system, or uploaded from a stored database. SMS PINs can be set expire after a specific validity period, a specific user session or after a maximum number of uses.

SMS PINs can be automatically re-issued upon expiry or maximum usage ensuring a passcode is always available.

Advantages of using SMS for Two Factor Authentication

  • No cost of issuing or managing a separate token device to users
  • No cost or risk of sending PINs via Postal Mail
  • SMS uses an existing device that users always carry
  • SMS is a low cost delivery mechanism
  • SMS is compatible with any mobile phone and deliverable globally
  • SMS is simple to use for users
  • On-demand PINs can be issued instantly
  • Usage of PINs can be tracked online
  • PINs can be managed and controlled centrally for improved security and visibility
  • Dynamically generated one time passcodes (OPT) are safer to use than static log-ins
  • Passcodes that have been used can be expired and automatically replaced in order to ensure that a valid code is always available
  • The option to specify a maximum permitted number of incorrect entries reduces the risk of entry by unauthorised persons

Disadvantages of using SMS for Two Factor Authentication

    • The mobile phone must be carried by the user at all times to access services
    • If the mobile phone is unavailable, no coverage, no battery, users cannot access services
    • If the mobile phone is stolen or lost, access is impossible and security may be compromised.
    • Mobile carriers cannot guarantee SMS delivery.

Two-factor authentication using SMS PINs is being used increasingly by many companies and brands with Twitter, Google and Facebook all launching SMS PIN verification in recent months to combat the hacking of user accounts and information.

Uses of 2FA

  • Every time a confirmation of identity is needed
  • Increase security for access to buildings via PIN entry
  • Verify access to enterprise systems, especially when users access systems remotely.
  • Protect access to data, particularly on web based and online systems
  • Enhance security for users of online and mobile banking applications
  • Authenticate transactions on any e-commerce sites from financial trades to simple mail order purchases
  • Authenticate transactions for micro-payments, money transfers online and on mobile devices
  • Implement application log-ins, software activation codes and e-signatures via SMS.
  • Add security for remote access from locations that are not recognised
  • Perform mobile subscriber identity verification.

Business Benefits

  • Reduce the number of calls to your contact centre
  • Improve customer satisfaction and confidence
  • Reduce the cost of fraudulent transactions
  • Decrease business risk

How it Works

how it works

Oxygen8’s Pin Manager can deliver all of your requirements for SMS based two factor authentication.

Combine SMS PINs with Oxygen8’s Lookup Services to enhance anti-fraud procedures by performing identity verifications on the mobile number.

Oxygen8 Australia