Two-factor authentication (TFA) is commonly used to authenticate transactions done via electronic computers. Basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication decrease the probability that the requestor is presenting false evidence of its identity by requiring two different types of evidence, or factors, from among a finite list of pre-approved factors. Traditional two-factor authentication requires the requester to present two of three possible factors: something the user knows (such as personal identification number PIN or password); something the user has (such as an automated teller machine ATM card or a registered mobile phone); and something the user is (such as a fingerprint or retina image).
Consider a common example of two-factor authentication. A bank customer visits an ATM hosted by a bank at which he does not hold an account and presents his physical ATM card (something the user has, a possession factor) and thereafter enters his PIN at the keypad (something the user knows, a knowledge factor). To dispense cash the ATM requires both of these factors to match the user's records at the user's own bank, and absent that the two-factor authentication will fail.
Two-factor authentication is common but a given multi-factor authentication procedure can require more than two different factors before allowing a transaction to proceed. The number of factors considered in the authentication is important because it implies (but does not guarantee) a higher probability that the bearer of the identity evidence in the computer/virtual realm indeed holds that identity in real life.
One category of TFA tools transforms the mobile phone of the personal computer (PC) user into a token device, commonly using a short messaging service (SMS) message exchange or an interactive telephone call or some other exchange enabled by an application that is downloaded to the user's smartphone. If the user enters his/her personal identifying information at the PC (knowledge factor), the user's mobile phone can serve as the possession factor of the two-factor authentication, so long as there is a message exchange and the user's mobile phone is pre-registered with the Internet domain on which the transaction is taking place.
Banking and other financial entities utilize two-factor (or more generically multi-factor) authentication commonly now that Internet-based banking has become ubiquitous. But online banking transactions are subject to attack by criminals using malware, of which several types have been identified that attack the PC and/or the mobile device.
Any authentication process which utilizes an insecure out-of-band method such as an email data link or a phone voice or data link, or which fails to provide mutual-authentication, is inherently vulnerable to a man-in-the-middle (MIM) attack. In a MIM attack, the fraudster is actually interacting with the legitimate website and the victim is interacting with the fraudster's counterfeit website. A victim who is lured to a fraudulent website then triggers the attack by entering his/her normal login credentials at the counterfeit website which appears legitimate. The counterfeit website then transmits these stolen credentials to the legitimate website using scripts or other protocols and for example the legitimate website then initiates a telephone call to the victim as part of its two-factor authentication. Believing the website to be legitimate, the victim uses his own mobile phone to complete the authentication, not realizing that doing so permits the fraudster to complete entry into the victim's account on that occasion.
Adding an additional biometric factor to the authentication is possible but is an expensive option; at least in the short term is not a practical solution to counter this growing malware threat by installing a finger imaging reader or retina scanner at every ATM along with the underlying databases needed to render them effective. What is needed in the art is a way to diminish these opportunities for malware to hijack a multi-factor authentication procedure without requiring vast upgrades to existing infrastructure.