Making the systems and platforms used by everyday consumers more secure is proving to be quite a difficult task. Several platforms have implemented some form of two-factor authentication, ensuring that knowing somebody’s username and password is not sufficient to gain access. But when all of these platforms and systems start to make their own proprietary two-factor authentication apps for mobile, things seem to get out of hand.
Relying on Standard Two-Factor Authentication Providers
Whenever you ask a random person thet type of two-factor authentication they use for certain services, there are two likely answers. Either they use SMS verification, which is the most common form of “verifying” somebody’s identity, or they use Google Authenticator. The latter is of special concer — even though it is a commonly-used solution, and there are no inherent bugs or issues to be found. Just because Google Authenticator or SMS two-factor authentication are commonly-used tools doesn’t make them the most secure solutions either. Granted, for the everyday consumer, these are two of the most user-friendly forms of authentication they have access to. However, both of these authentication tools rely on a third-party provider, which may not be the best course of action.
With mobile software threats on the rise and malware being able to log all types of conversations and data from infected devices, SMS verification may very well be one of the worst solutions available to date. Malware on mobile devices can “hide” itself in the background, collecting data while the use thinks the SMS simply didn’t come through.
Or, in the worst case scenario, someone remotely accessed the mobile device to read an SMS code as they requested access to this platform by using the consumer’s credentials. Erasing all tracks of this SMS being sent isn’t impossible either, once somebody is remotely connected to a malware-infected device.
Google Authenticator does not directly suffer from malware on mobile devices, yet it is not free of potential security risks. Commonly-used security solutions become major targets for hackers who would like nothing more than to find a bug or backdoor in Google Authenticator. Even though this has not happened just yet, it is not unthinkable for it to happen in the future.
With all of the above being said, more companies are starting to develop and roll out their own proprietary two-factor authentication solutions. For example, local governments can issue “citizen tokens,” a list of randomly generated codes that one needs to be entered every time you log in on a government-run platform.
In The Netherlands, another proprietary two-factor authentication app has been announced, with the sole purpose of making government-related platforms more secure. This application — called the DigiD App — will be available in the second half of 2016, and acts in similar fashion to Google Authenticator. Random two-factor authentication codes will be generated within the application itself, and will replace the SMS verification option for those who prefer to do so. Doing so seems to serve a second purpose as well, as the Dutch government acknowledges SMS two-factor authentication is a costly measure.
As of press time, the only alternative for Dutch residents is to use SMS verification, yet not every citizen is keen on giving their mobile phone numbers to the government.
Decentralized Two-Factor Authentication a Solution?
Having multiple options for two-factor authentication is never a bad thing, but if newly created apps can only be used within certain ecosystems, it begs the questions whether or not an alternative solution might be preferable. A blockchain-based solution, for example, could be integrated into any platform in the world, and remain a properly decentralized and secure form of verification.
Such a decentralized solution would work in the form of issuing a digital token over the Bitcoin blockchain, which contains personal information of the consumer. Upon providing this token, by using it to digitally sign the login process for example, the user is then authenticated to access the platform. Because every token would only be deemed valid through its private key, which is owned by the user, no one else can access the platform through their credentials.
Companies such as BitID are working on a project that lets users sign up to any service using their unique Bitcoin wallet addresses and private keys. Such a platform could easily be adapted to serve as a two-factor authentication protocol on top of the Bitcoin blockchain. Overall, the process would still be very user-friendly, offer more security and privacy, and be more cost-effective.
What are your thoughts on two-factor authentication in general? Do you think there will be more of these proprietary apps in the future? Let us know in the comments below!
Source: Tweakers (Dutch)
Images courtesy of DigiD, Shutterstock