The Truth About Multifactor Authentication: More Is Not Necessarily Better
March 4, 2019
The European Union's Revised Payment Service Directive, better known as PSD2, raises the bar for "strong" security by mandating three-factor authentication, not just two. It's food for thought because it begs the question, why stop there? We know that one factor is not enough, but is the risk of fraud going to drive us down the path to four, five, n-factor authentication? Taken to its illogical conclusion, there is no end to the demand for additional factors.Luckily, the need to provide fast response and a pleasant customer experience at an affordable cost already places constraints on the mad rush to add authentication factors.A quick trip down memory lane (or is that security avenue) reminded me that my first real experience with two-factor authentication ('2FA') was when I used my bank card at an ATM. At the time, it didn't occur to me that I was authenticating with something I had (first-factor, the card) and something I knew (second-factor, the PIN), but that's what it was. Yet today the combination of 2FA has proven powerless against the rising tide of fraud in the physical world (where cards have been spoofed and four-digit PINs have proven vulnerable) but even more so in the voice, digital and online worlds where procedures to authenticate "card not present" transactions are either cumbersome, or ineffective.Response to the inadequacies of 2FA has been dramatic. Exponential innovation has been witnessed globally in the domain of 'Intelligent Authentication' (IAuth). Of necessity, it spans Identity, Verification and Fraud Prevention and encompasses an ever-increasing range of biometric modalities such as Voice, Face, Behavioural, and the list continues to grow to accommodate a variety of on-device or endpoint sensors (smart phones, intelligent appliances, connected cars, etc).