Some providers of personal banking services add strong authentication services to their Internet banking channel, such as multi-factor authentication services designed for e-banking applications, which provide a number of authentication features to prevent fraud during e-banking transactions. One common authentication mechanism is short message service-based (SMS-based) one-time-passcodes (OTPs). SMS-based OTPs were introduced to counter phishing and other attacks. SMS OTPs are often used as an additional factor in a multi-factor authentication system, where users are typically required to enter an OTP when logging-in to their online banking service. SMS OTPs are typically used for authenticating users as part of the registration and enrollment of new users, and as a step-up authentication mechanism as part of the workflow for adding a new payee.
Generally speaking, SMS OTPs authentication mechanisms require a link between bank account, the bank account owner and his mobile phone account. The owner of the bank account should be the only person who can receive the SMS OTPs sent to the phone number linked to his bank account. Thus, this link between an account, a user and a physical device (mobile phone) provides a strong multi-factor authentication mechanism.
However, SMS OTP is no longer considered secure, because SMS OTP relies on the security of mobile telephone communication networks. Some providers of personal banking services are experiencing significant levels of fraud from “SMS OTP SIM Swap” attacks.
Furthermore, conventional standalone OTP authentication mechanisms often require a user to switch between devices, or between windows or software applications on a device, in order to view a received OTP, which may not result in a user-friendly experience.
The present applicant has recognised the need for an improved method of providing SMS-based multi-factor authentication mechanisms, which are also more convenient for a user to use.