4 advantages of physical over mobile authentication

It is no secret, you can see it for yourself. The use of two-factor authentication (2FA) and multi-factor authentication (MFA) is on the rise. Whether you want to access your Google account, bank app or even Facebook, you have to at some point authenticate your login. This is supported by a recent survey, “The State of Auth”, which has revealed that 79% of people in the UK and USA used 2FA in 2021.

With cybersecurity a daily subject of discussion nowadays and no longer a tick-box exercise for businesses and governments, this figure is no surprise. Further to that, new regulations such as the EU’s Strong Customer Authentication (SCA) under the EU Revised Directive on Payment Services (PSD2), make it necessary for organisations to implement such solutions for both employees and customers.

As demand for 2FA and MFA increases among businesses, there is pressure to deliver easy-to-use solutions in a short time scale. This could explain why out of the aforementioned 79%, software-based methods of authentication (SMS, email and mobile apps) are the most popular form of second-factor authentication whereas physical keys are the least popular.

But is the most popular way the safest way to authenticate? Is it the most cost-effective method for businesses? The short answer is no. In fact, the advantages of using a physical form of authentication far outweigh the use of software as your primary method.

Software can be hacked or fooled

Even the most sophisticated software can be circumvented or broken by bad actors. This extends to mobile authenticators which use cryptographic keys to generate codes used for user identification. Recent reports have revealed that hackers can easily exploit these keys, even if developers secure them in a smartphone’s “Trusted Execution Environment” (e.g. StrongBox Keystore for Android and Secure Enclave for iOS). If these keys go into the wrong hands, then a bad operator can get the authority to authenticate transactions or connections on a user’s behalf.

Mobile app authenticators also tend to usually have only a basic level of security certification from national and international security agencies, whereas physical secure keys tend to have higher levels. While smartphones are becoming an “everything in one” tool, whether the SIM becomes an eSIM or the mobile phone a Point of Sale device (POS), these changes come at the cost of compromises to security.

By having a physical secure key, such as NEOWAVE’s Winkeo, you introduce a physical element to your authentication process, eliminating the reliance on weak software to protect your sensitive information. The user must present and tap the physical key during the authentication process. There is no software to beat, the unique crypto key within the physical device must be present, otherwise, access will be denied.

FIDO can put an end to phishing

The FIDO Alliance is an industry association that develops and promotes authentication standards to “help reduce the world’s over-reliance on passwords”. Its members include world-leading companies such as Google, Microsoft, VISA and Apple. FIDO-approved devices adhere to the body’s protocol, which consists of a user-controlled cryptographic authenticator that businesses can use to link to directories and apps that they use, for instance, AzureAD and Microsoft 365. Authentication can only take place in person by the user tapping the key and entering a PIN code. This removes the risk of relying on software on mobile phones and apps that can be bypassed.

Malicious websites can also be identified by FIDO-approved keys. If, for example, an employee with a FIDO key visits a malicious website, the fake site will not request for the key to be used during authentication. Any login information passed on to bad actors will not enable them to access their accounts via the real website. This is because they will not have the physical key required to authenticate.

The crème de la crème of FIDO’s physical keys is that by using this technology, businesses can eliminate phishing in their organisation. By having a physical (non-mobile) element added to your security process, FIDO helps prevent brute force attacks as well as man-in-the-middle attacks which OTP passwords, SMS codes are susceptible to.

In fact, Google claims to have put an end to all phishing breaches within its organisation. The company implemented U2F authentication across its organisation and requires all employees to use physical secure keys.

Sim-swap fraud is on the rise

SIM-swap fraud cases have increased 400% in the past 6 years. It means that hackers are cloning mobile phone numbers and assigning them to new SIM cards, through which they can access online bank accounts, messages, calls and other sensitive data. One of the most notable victims of this type of fraud was Twitter CEO Jack Dorsey. Should we not question the value of mobile app authenticators if this threat is on the rise?

Highest level of security at a fraction of the cost

Shockingly – but unsurprisingly – almost 70% of SMEs have not implemented MFA. It makes sense though when you look at costs. If you are a small business and need to spend hundreds of pounds on a smartphone per employee in order to have access to an authenticator app, this can be discouraging for business owners, especially during uncertain economic times. While some may revert to using personal smartphones, that is not the safest method as it comes with added risk when the phone is not owned by the employer.

FIDO keys on the other hand are much more affordable, at around £25 per person, and come with heightened security as described in the points above. It is a win-win for both smaller businesses which need to prioritise security but are also traversing uncertain economic times, and larger organisations that need to implement MFA across the business with hundreds, if not thousands, of employees.

Cybersecurity has never been more important. The heightened threat from Russia since the invasion of Ukraine and the higher number of employees working remotely has put cybersecurity as a top priority. Attacks are now fully-fledged businesses and organisations need to ensure there are no cracks in their protective shields.

Kent Jason

Jason Kent is founder and director of Open Seas, a UK-based enterprise IT solutions company specialising in data protection and backup services to optimise organisations’ work environments. With 30 years’ experience in the IT industry, Jason has developed a strong and in-depth understanding of how to design and implement technical solutions that deliver tangible business benefits.

With 30 years’ experience in the IT industry, Jason has developed a strong and in-depth understanding of how to design and implement technical solutions that deliver tangible business benefits. Jason specialises in simplifying the complex and collaborating with both technical and non-technical teams to implement solutions that enhance security and human collaboration.

Jason is also Business Development Director at Jooxter, a proptech scale-up that helps companies manage flex desks and meeting rooms through wireless monitoring.

In this together: how the crowd can help.

Matt Cooper • 22nd November 2022

Matt Cooper, the Chief Commercial Officer at Crowdcube, explains that if businesses can communicate their purpose and vision clearly, founders can mobilise a passionate community of investors to help them on their journey.