Multi-factor authentication (“MFA”) is a failure-tolerant method of computer access control that requires a user to provide multiple means of verification to gain access to a system.
Two-factor authentication (“2FA”) is a form of multi-factor authentication that requires a user to provide two means of verification to gain access to a system. Two-factor authentication is widely viewed as a more secure method of authenticating a user attempting to log in to a user account than the use of a single authentication factor alone.
One authentication method commonly used in multi-factor authentication systems includes transmission of a one-time pin (“OTP”) via SMS text messaging to a user's phone or portable device. In the case of SMS two-factor authentication, a user first enters the user's login credentials including, for example, a username and password, this constituting the first authentication factor. Upon entering the login credentials, an OTP code is transmitted to a device associated with a phone number stored with an account of the user. The user then enters the code to verify the user's identity, this constituting the second authentication factor. In a multi-factor authentication scheme, additional means of verification may be used before granting account access. In the case of a two-factor authentication scheme, and access to the account is now granted. A commonly used process of SMS two-factor authentication is illustrated in FIG. 1. In a first step, an end user begins a login process with the user's username and password. In a second step, an online service sends a confirmation message containing a randomly-generated OTP via a phone network. In a third step the message is delivered from the phone network to the user's device. In a fourth step, the user enters the OTP to complete the login process.
Additional known multi-factor authentication processes exist that allow authentication of a user using a verification code or OTP. For example, time-based one-time password (“TOTP”) algorithms may be used to generate a one-time verification code when a user desires to log in to an account. Similarly, HMAC-based one-time password (“HOTP”) algorithms also provide for a one-time verification code to authenticate an identity of a user.
Two-factor authentication, in theory, provides an increase in security of a user's account because a would-be hacker would be required to have access to both a user's primary login credentials (such as username and password) and the user's second factor (such as a phone). It is estimated that approximately 46% of internet users utilize some form of multi-factor authentication, and that over 90% of the most heavily trafficked websites on the Internet support two-factor authentication.
While SMS two-factor authentication theoretically provides significant security advantages over sole or single password authentication methods, the popularity of SMS as a two-factor authentication method has revealed vulnerabilities that may be exploited to gain access to an account protected by two-factor authentication. For example, one possible exploit of SMS two-factor authentication is that a third party may obtain physical access to a user's phone or portable device and is therefore able to receive the second factor code of the user. Similarly, a third party may fraudulently request a replacement SIM card from the user's cellular phone service provider. When the third party obtains a replacement SIM card, the second factor code is received on a device of the third party, thereby granting access to the user's account. A process of re-directing inbound SMS messages to a hacker's device using a SIM card swap is illustrated in FIG. 2. Other known vulnerabilities include the use of a hardware device such as an IMSI catcher, the exploitation of vulnerabilities in the SS7 protocols, and the use of spyware or remote access software that exploits vulnerabilities related to the user's device. Similar vulnerabilities may also exist in other two-factor authentication methods including TOTP and HOTP.
In some cases, two-factor authentication may in fact create new vulnerabilities that do not exist with single password authentication methods. For example, most if not all websites and services include a process of recovering a lost password. Traditionally, the password reset process works by sending the user an email to confirm the password change. However, some services have recently begun allowing password resets to be accomplished using the same cell phone of a user used for receiving a second factor authentication code. This effectively reverts the authentication process to a single factor authentication system. Combined with the vulnerabilities described above, the user's account is therefore protected by a single vulnerable factor. If an attacker is able to gain access to a user's phone or the user's SMS messages, the attacker would be able to change the user's password without knowing the user's previous password. This means that an attacker could gain access to a user account with only a user name and access to the user's phone or SMS text messages. Each of these vulnerabilities may result in circumvention of a two-factor authentication process and allow a nefarious third party to access an account of the user.
In addition to various security vulnerabilities, two-factor authentication also creates practical issues that inhibit adoption or utilization of the two-factor process. One issue arises when a user loses access to the user's cell phone, such as when the device malfunctions or is otherwise inoperable. A similar issue arises when a user is without a connection to a cellular network such that the user's phone is incapable of receiving SMS text messages. In either event, the user is unable to receive the second factor code on the user's cell phone, which would result in the user becoming locked out of their accounts. An additional issue arises when a user obtains a new phone number, and the user must then update any accounts utilizing two-factor authentication to include the user's new phone number for transmission of the second factor code. Similar issues may exist with respect to attempting to retrieve one-time verification codes using other methods, such as TOTP and HOTP.
Therefore, while two-factor authentication generally reduces a risk of unauthorized access to a user's account by a third party, various vulnerabilities still exist in current implementations and in some cases the risk of unauthorized access is actually increased over having no two-factor authentication. Practical inconveniences of two-factor authentication further inhibit adoption of two-factor authentication by users. What is needed, therefore, is a secure system and method for managing the multi-factor authentication data of a user.