Authentication of users is important to maintain data security and access control. Many services employ two-factor authentication to improve security and reduce the chance of unauthorized access to data or services that are secured by authentication credentials. As one example, in order to access data or a service, a user can be required to provide a password along with a security code, such as a time-varying one-time password. In this way, to facilitate authentication of the user, the user is challenged to provide something the user knows, such as a password, along with something the user has in his or her possession, such as a device to which the security code is sent or one that generates the security code.
Some implementations of two-factor authentication involve generation of a one-time password by a server when a user presents his or her username and password. The server then transmits the one-time password to the user in an out-of-band communication, such as by email, short message service (SMS), instant messaging, or any other communication link that is different from that in which the user presented his or her username and password. Before granting access to the service or resource, the server also requires that the user also present the one-time password. However, a user's device can receive email, SMS messages, instant messages, or other forms of communications in an application that is insecure in some way.
For example, an application associated with a communication link can render some or all of a message that includes a security code on a lock screen of the smartphone. In this scenario, the contents of the message may be visible without requiring that the user present a device credential, such as personal identification number (PIN) or password. Additionally, should the device become lost or stolen, a server, in response to an authentication attempt on behalf of a user, may continue to send security codes to the lost or stolen device, which can result in the security codes being received by an unauthorized user.