Multi-factor authentication is an approach to security authentication in which a user is required to provide at least two pieces of evidence (or factors) to confirm their identity in order to be granted access to a secured environment or secured information. Example factors include something the user knows (e.g., a personal identification number, password, pattern), something the user possesses (e.g., an ATM card, phone, fob), or something the user is (e.g., a biometric such as a fingerprint, or voiceprint). For example, two factor authentication may be used while withdrawing money from an automated teller machine (ATM), where the user has to provide the correct pin (something the user knows) and the ATM card (something the user possess).
To access secured environments and information such as online portals for healthcare, banking, e-commerce, email, and the like, a user may undergo multi-factor authentication. For example, a user may receive a short message service (SMS), also referred to as a text message, or email on their phone with a particular code that the user has to provide on an online portal before being able to access the online portal. By having to provide a particular code to the online portal, the user indicates possession of their phone (something the user possess) in addition to login information (something the user knows). Often, the particular code is a one-time code that is valid for only one login session or transaction (i.e., a one-time pin or OTP).
Although multi-factor authentication was created to provide improved security authentication, modern smartphones are used for both browsing email and receiving text messages. Accordingly, if a smartphone is stolen, a thief can normally complete the multi-factor authentication as they have access to text messages, emails, and applications that may be preloaded with login information. In other words, a thief may have access to the OTP and be able to complete the security authentication procedures.