Digital Transactions Authoritative, insightful and timely information for payments professionals
As criminals’ knowledge of how to beat multi-factor authentication through phishing schemes increases, the need for payment providers to implement phishing-resistant solutions continues to grow.
Phishing attacks are a form of social engineering in which cybercriminals deceive consumers into revealing personal and account information. The cybercrime can also involve installation of malware on a consumer’s device to gather data via a malicious email that appears to come from a trusted source and is opened by the consumer.
Phishing resistant multi-factor authentication solutions that payment providers can implement include FIDO2 specifications utilizing device-bound keys, eliminating the need for passwords, public key infrastructure-based authentication, and advanced behavioral analytics, according to a white paper released by the U.S. Payments Forum.
The FIDO2 standard, created by the Fast Identity Online Alliance, uses standard public key cryptography, which matches a private key stored on a user’s device with a public key stored on a service provider’s application or Web site. The public key is created when the user registers his device with the service provider application or Web site. The standard thwarts criminals by making these keys usable only by the consumer.
“FIDO2 eliminates the need for a password and replaces it with the FIDO2 login standard,” the whitepaper says. “Combining this with the seamless user experience of a biometric or PIN creates both a low friction and highly secure phishing-resistant solution.”
Public key infrastructure hardens multi-factor authentication by leveraging a second factor, such as a time-based token, push notification, or one-time password to verify the identity of the user. Users who authenticate with the device or hardware token can log in without a password.
Advanced behavioral analytics provides an additional layer of passive authentication resistant to spoofing, which occurs when cybercriminals contact a consumer and portray themselves as a trusted source. Advanced behavioral analytics examines network data, device, location, and behavioral intelligence, as well as behavioral biometric signals, to build up digital signatures for a user. The digital signatures are used to compare recent transactions with past behavior and can be layered with other authentication technologies to improve risk assessment.
Given that criminals are finding ways to beat multi-factor authentication through phishing attacks, implementing such countermeasures as the FIDO2 standard and eliminating passwords can significantly strengthen multi-factor authentication, the white paper concludes.
