Multi-factor authentication systems are becoming increasingly popular for computing system account security. Traditionally, users have provided a username and a password to log into a user account. However, malicious users can also gain access to the user account simply by having knowledge of the username and the password. In other words, username and password systems rely only on two items of information that the user knows. Thus, such systems rely exclusively on knowledge-based authentication factors.
Other authentication factors can include what the user has (possession factors) and who the user is (inherence factors). Examples of possession factors can include possession of a trusted device (e.g., smartwatch, smartphone, or other device with a long-lived credential stored thereon or able to communicate by way of a trusted telephone number or email address), possession of a key-fob token that generates one-time passwords, and possession of a smartcard. Examples of inherence factors can include retinal scans, iris scans, and fingerprint scans. Adding possession and/or inherence factors to an authentication system that uses username and password-based authentication can greatly improve security. Also, requiring answers to other knowledge-based questions can improve security. The questions can be dynamically generated based on transaction histories (e.g., “which of following is the correct purchase amount of your transaction yesterday?”), or credit histories, or may be based on static answers to questions that are preconfigured by the user (e.g., “who was your favorite school teacher?”).
Unfortunately, it can be difficult to practically implement multi-factor authentication in native applications. Application developers would have to write custom authentication code and/or include code from a software development kit that enables multi-factor authentication, but it can be very challenging to convince developers to do this. As a consequence, an organization that manages devices, such as under a bring-your-own-device model, cannot require multi-factor authentication for native applications under existing approaches.