Multi-Factor Authentication – Meeting Regulatory Requirements, Stopping Breaches

By Kim Brown, Product Marketing Manager, Webroot

The cost of data breaches can cost businesses anywhere from $500K to $171M per breach, according to Gartner1. An effective option to protect against breaches is multi-factor authentication (MFA), but considerations have to be made for both the effectiveness of various MFA solutions (including for mobile devices), as well as the end user experience.

Recently, 34 banks in four countries were attacked in a sophisticated spear-phishing and malware campaign called Operation Emmental. These banks use session-based tokens sent via SMS as secondary authentication before permitting online bank account access. Attackers asked customers to install an Android app to generate one-time tokens for logging into their bank. After that, the SMS messages from the banks were intercepted and forwarded to a command-and-control server. Attackers gained the victims’ credentials and session tokens to establish full control of their bank accounts. A different MFA method may have thwarted Operation Emmental.

Legal and regulatory agencies have established new standards for adding MFA to security practices, and three factors of authentication can be used alone or combined to build a stronger authentication strategy. These are:

  1. Something you know (such as a user ID, password and/or challenge question)
    Passwords are the first level of authentication, but user name and password breaches are common place and challenge question answers are often forgotten by users. Even addressing this through a one-time token via SMS can be bypassed, as victims of Operation Emmental can attest.
  2. Something you have (such as a smart card or physical token)
    Physical Token/Smartcard – While effective, implementation costs and possible loss of the mobile device and token reduce its security effectiveness.
  3. Something you are (referring to a physical characteristic, like a fingerprint)
    In the future, biometrics may be the best option for MFA—fingerprint scans, face/voice recognition, iris/retinal scans, keystroke dynamics, even finger vein ID. Each of these present challenges–ease of use, implementation, and cost. Security vulnerabilities include copying of fingerprints, photos, voice recordings, and theft of digital biometric data.

User Experience is Key to Adoption
Critical to any MFA solution is the user experience, especially when the user is a customer. Poor customer experiences may cause retention issues, and the best MFA option is one that does not require user involvement. For example, if account access is via a mobile app, security can be embedded within the app. This type of security creates a device ID to match the mobile device to the user. Security may include antimalware scans, details about apps running on the device, and whether the device is “rooted” or running in an emulator. User access can be reduced or restricted based on the condition of the device security, providing an effective MFA solution and non-intrusive user experience.

Meeting regulatory requirements for MFA can be managed in numerous ways. Ultimately, security effectiveness should drive this decision but the user experience cannot be ignored. The best solution provides strong security with minimal user disruption and involvement, such as adding embedded mobile security into a banking app.
1 The Cyberthreat Landscape, Lawrence Orans, Research Vice President, Gartner, May 22, 2014.

Kim Brown, Product Marketing Manager, Webroot (

Webroot is bringing the power of software-as-a-service (SaaS) to Internet security with its suite of Webroot SecureAnywhere® offerings for consumers and businesses, 30 financial institutions world-wide, as well as offering its security intelligence solutions to cybersecurity organizations, such as Palo Alto Networks, F5 Networks, Corero, RSA, Cisco, and others. Founded in 1997 and headquartered in Colorado, Webroot is the largest privately held security organization based in the United States – operating globally across North America, Europe and the Asia Pacific region. For more information on our products, services and security visit:


Follow Us:

Sitemap | Privacy | Copyright © © 2017, WSTA®, All Rights Reserved.