paint-brush
Biometric Security Is the Only Truly Secure MFA Option Leftby@richardjoldale
264 reads

Biometric Security Is the Only Truly Secure MFA Option Left

by Master Mind Content March 21st, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Two-factor authentication (TFA) was introduced to reduce the risk of cybercrime. However, TFA has given cybercriminals more ammunition to infiltrate sensitive data they can profit from. The increasing prevalence of IoT devices on PSTN presents hackers with even more opportunities to access personal information that can be used to access sensitive accounts. The National Institute of Standards and Technology (NIST) has recommended businesses and government agencies to stop using SMS for TFA. The rising number of high-profile data breaches shows that zero companies are infallible.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - Biometric Security Is the Only Truly Secure MFA Option Left
Master Mind Content  HackerNoon profile picture

Threat actors cause give C-suite executives more sleepless nights than any other type of disaster that could devastate their business. Whilst existing cybersecurity solutions do an excellent job for the majority of attacks, the rising number of high-profile data breaches shows that zero companies are infallible.


Existing cybersecurity solutions are sophisticated. However, the infrastructure used by telecommunications is not. These outdated pose a threat to anybody that uses them.


Moreover, archaic systems enable threat actors to developnew hacking technologies and techniquesto stay one step ahead of cybersecurity professionals.

Two-factor authentication (TFA) was introduced to reduce the risk of cybercrime. If anything, TFA has given cybercriminals more ammunition to infiltrate sensitive data they can profit from.

We’re now moving into an era where multi-factor authentication will dominate user verification. MFA qualifies users by using three factors; something you know, such as a password, something you have in your possession, such as a mobile device, and something you are - your physical attributes.


Biometric-based MFA falls into the latter category. Whilst biometric data rubber stamps the two preceding factors, some people find scanning their face, fingers and eyes intrusive. The growing distrust in government agencies, banks and other corporate entities does not alleviate those concerns.


But, if we are completely honest with ourselves, there is no other option. Existing solutions are inept and there is no alternative on the table. MFA solutions like fingerprints, facial recognition, retina scan are the only rational option.


In short, MFA provides a bulletproof solution for digital applications that current methods don’t.


SS7 Attacks

The existing infrastructure used by communication companies is Common Channel Signaling System No. 7 (SS7). It has been the industry standard since 1975 and is not equipped to support the advancements in digital technology.


Despite being used by intelligence agencies, the outdated security protocols of SS7 mean that anybody using the network is vulnerable to hackers. The system isideal for surveillance. SS7 is a hacker's dream.


SS7 attacks target mobile devices. Threat actors can exploit security vulnerabilities in the SS7 protocol whenever signals are exchanged over a public switched telephone network (PSTN). This is how mobile devices communicate with a telephone service provider.


Consequently, hackers can intercept voice calls and SMS exchanges on a cellular network. The increasing prevalence of IoT devices on PSTN presents hackers with even more opportunities to access personal information that can be used to access sensitive accounts.

Text-based TFA Can Be Intercepted

Passwords and user verification is the most common method for accessing accounts today. Yet, six years ago, it was established that SMS verification is the “weakest link” in the TFA chain. But most banks and corporate businesses are still using it.


In 2016, the National Institute of Standards and Technology (NIST)published guidelinesrecommending businesses and government agencies to stop using SMS for TFA. SMS text messages can be intercepted.

Sophisticated hackers only need a few pieces of personal information to hijack your phone. The type of information they need can be collected from a variety of sources; social media, corporations, government agencies, hospital records, insurance companies.


It’s not unusual for entities that store sensitive data to be thevictim of a data breach. Hackers stole the data of 45 million residents when they infiltrated the Argentinian government's National Registry of Persons.


If malicious actors know the last four digits of your social security number, date of birth, postcode, and phone number, they don’t need your mobile device; they can access the data by convincing a mobile carrier to transfer your phone number to their SIM card.

SIM swapping enables hackers to change your passwords and access your most private accounts. They would have the time to transfer money or go on a shopping spree before you receive the email informing you that your password has been changed.

Emails Can Be Compromised

Email-based MFA provides users with a higher level of security than smartphones. But they are still vulnerable if a computer is hacked without your knowing it.


Attackers have a variety of tools at their disposal to gain access to a digital device. Malicious malware sent via email phishing attacks is the most common form of infiltrating a computer device.


Hackers can also gain access to computers via malware embedded in pdf downloads and fake apps.Microsoft recently announcedthey are disabling Visual Basic for Applications (VBA) macros by default to prevent employees from inadvertently downloading infected documents or accessing a malicious webpage.

Brute force attacks on passwords are also common. These types of data breaches use sophisticated technologies that can guess passwords by combining millions of combinations.

Apps Can Be Spoofed

Mobile devices are ideal targets for scammers. The more people adopt mobile wallets, the easier it is for hackers to gain access to your finances or business network.

Apps can easily be spoofed. If an attacker has access to your email address and knows which bank you use, they can design a fake app and prompt you to download it onto a phone.


Whilst Apple, Google, and Microsoft claim to eliminate malicious scams from their app stores,hackers manage to smuggle them in. It’s the same story with fake WordPress plugins that display ransomware messages.

Why Biometric Authentication Is the Future of Security

Biometric security solutions are not 100% foolproof either. There have been instances of voice spoofing and tricking Apple’s Face ID. It is clear that using technologies that authenticate personal features will not be enough.


The latest developments in biometric solutions adopt features that cannot be spoofed or corrupted. Motion sensors that capture stride patterns eliminate the use of robots and cloud computing can enable security checks to be conducted in real-time.

Despite the feelings of uneasiness among the general population, biometric data is the only option left to tighten the security of digital devices. Smartphone users are gradually becoming more accustomed to the idea. In 2020, Mercator estimated that 41% of smartphone owners activated the biometric feature on their phones. The number of users was forecast to rise to 66% in 2024.


The adoption of biometric authentication has been slow, but businesses will expedite usage as facial recognition, retina scan and fingerprints are folded into MFA. With so many vulnerabilities in the current landscape, decision-makers don’t have any other choice!


*Disclaimer*: I do not work in the cybersecurity space, nor am I associated with any other business or agency that can profit from biometric technologies. I am merely making an observation.*