Among the most vulnerable forms of multifactor authentication are two of the most familiar: knowledge-based authentication (KBA) and one-time passcodes (OTP’s). With nine federal agencies breached during the SolarWinds attack, fraudsters have access to civilian data that can be used to overcome KBA questions, such as a home address, cell phone number or even a pet’s name. And there’s no putting the genie back into the bottle; now that this data is released, it is irretrievable.
The Colonial Pipeline attack was a painful reminder of how virtually every component of the nation’s infrastructure is now online. This revolution has brought with it a new burden to ensure electrical grids, dams, highways and railway lines are resilient against fraudsters. It’s heartening to see multifactor authentication treated as an imperative in the President’s executive order. However, not all forms of multifactor are equal. Agencies must carefully consider whether their multifactor mix takes a holistic view of identity, or they will be ill equipped to deal with the sophisticated tactics of today’s fraudsters.
OTPs similarly fail to stand up to scrutiny. OTPs are passcodes that are often texted or sent via SMS to a citizen’s phone as a form of identity authentication; the thought being that it would be highly unlikely for a fraudster to obtain someone’s mobile device. However, the proliferation of SIM swapping and unauthorized number reassignments means criminals can re-route SMS messages to their device instead of the citizen’s, quickly negating an OTP authentication system and opening the door for account takeovers. What’s more, some fraudsters have even found ways to solicit OTP’s directly from citizens, using “man in the middle” schemes. In this case, a fraudster contacts an agency to purposefully fail a verification and trigger an OTP being sent to a citizen. The fraudster then calls the citizen, presents themselves as someone from the federal government, and asks them to read aloud the passcode they’ve just received.
The most effective multifactor solutions integrate all aspects of a citizen’s identity and de-weaponize the PII that can be used by fraudsters. Holistic authentication solutions take into account identity markers that go beyond simple data verification. Rather than going through a checklist to verify each piece of provided data – for example, “Did this OTP go to the citizen’s phone number?” – it’s far more important to examine the linkages between each piece of data, going the extra distance to connect the dots between a recent SIM swap request in the individual’s carrier history and a correct OTP response. These types of solutions can show an agency whether the device has been or is likely to be implicated in unsafe behaviors and can even glean whether the device may not be in the hands of the person who owns it. By holistically examining how online, offline and device-based datapoints connect, such as the strength and tenure of a connection between an IP address and phone activity, this method establishes a clear link between a device and a citizen.
In short, these legacy forms of multifactor authentication have been rendered useless against modern hacking methods. The private sector has already recognized the fatal flaws of KBA and OTP, and many companies have begun to adopt a more holistic approach to identity resolution. If the federal government hopes to arm agencies with the tools they need to defend themselves, it must do the same.
Another option, specific to voice channels, is pre-answer caller authentication, which uses real-time inspection of inbound calls and calling devices to authenticate a caller’s identity before they even reach an agent or interactive voice response. This method hybridizes deterministic and probabilistic approaches to identify a citizen using advanced telephony system forensics; that is, using the identity of the calling device as an ownership-based authentication token to swiftly verify an individual without relying on PII.
These forms of multifactor authentication also have the added benefit of improving citizen experience. Without requiring the citizen at the other end of the line to verify themselves with information that could be outdated, forgotten or simply irritating to find, the agency smooths out the rough edges of connecting Americans with their government. The private sector is transitioning to these new forms of multifactor authentication for a reason; as well as for protecting citizens, why doesn’t the federal government do the same and start treating citizens like customers purchasing a service?
The President’s executive order should be applauded for its ambition and scope. Many in the industry believe a multifactor authentication mandate is overdue, but the government now has a chance to prove the cynics wrong and introduce integrated authentication solutions that prepare agencies for the post-Colonial Pipeline fraud environment we now inhabit. In conjunction with the other reforms that the White House plans to issue, an insightful mix of multifactor authentication solutions will once again give Americans confidence in their government’s ability to protect their sensitive information and accounts, while also giving them the same quick and friendly service they now expect from the private sector.
Tom McNeal is vice president of the Partner Channel and Public Sector for Neustar.