A Survey on Multi-Factor Authentication for Online Banking in the Wild (original) (raw)
Related papers
Most banks now offer their services online, which is known as online banking. Bank activities involve very sensitive information. Due to the high level of fraud banks have recently introduced a new authentication method which requires the users to provide more than one factor to authenticate themselves which is known as Multi Factor Authentication (MFA). But means of improving the security might compromise the level of usability of the website. Being a country with less IT literate people the researcher assumes that introduction of MFA might have an impact on the Sri Lankan online users. This paper presents an empirical study on the level of usability of MFA mechanisms used by Sri Lankan banks at present as experienced by the users. According to the results it was identified the number of online banking users are less in Sri Lanka, but they are accepting the MFA methods as usable.
E-Banking Security Study—10 Years Later
IEEE Access
ICT security in the banking area is going through rapid changes. It is ten years since we covered the state of e-banking security, and both authentication schemes and legislation has evolved. With the Payment Services Directive (PSD2) for European Union coming into force, we believe it is a good time to update our findings. PSD2 brings new requirements for multi-factor authentication, thus it is necessary to revise compliance of currently used schemes. This work's main contribution is an overview of current authentication methods, their properties with respect to international standards, and their resistance against attacks. We further discuss the multi-factor authentication schemes composed of those methods and their compliance with the PSD2 requirements. In order to present the overview, we introduced the e-banking attacks taxonomy, which is compatible with authenticator threats from NIST Digital Identity Guidelines but has an increased level of detail with respect to the e-banking area. The available sources in this area are usually either very broad, targeted on the business executive, or focus on one particular issue or attack in greater detail. We believe our article can bridge such diverse sources by providing a comprehensive and complex tool to help with orientation in the area.
Multi-channel, Multi-level Authentication for More Secure eBanking
2010
For decades, traditional authentication methods have proved weak in protecting users and organizations from various different online attacks. These include brute force password cracking, phishing, sniffing, active man-in-the-middle attacks, and session hijacking. The introduction of the one-time-password (OTP) and multichannel authentication (MCA) has proven ability to protect users' online accounts from being compromised. However, without careful thought being given to implementation details, these authentication methods can still have weaknesses that could allow real-time attacks to succeed. This paper presents guidelines on how multi-channel authentication should be implemented so that it adequately protects users' online accounts. The proposed structure can be used in personal banking or corporate banking applications and has the potential to withstand the most commonly deployed attacks. In order to evaluate the proposed MCA and test user acceptance, a prototype web-application was implemented. Our evaluation of the MCA concept using this prototype with Omani participants showed that 61% of total 42 participants who evaluated the application are satisfied with the level of security offered by multi-channel authentication. 66% of them believed that it was easy to perform transactions. We found that most participants were not familiar with the vouching code (the fourth authentication factor proposed by RSA) implemented as part of the study. However, 69% stated that they found this feature convenient when the primary channel was unavailable. Finally, 79% of respondents agreed to recommend the multi-channel authentication mechanisms to others if implemented by their bank.
Evaluating the Performance of Two-Factor Authentication Solution in the Banking Sector
2014
Two-factor authentication delivers authentication through devices the customers have and the information (PIN) they already known. In today’s corporate environment, the need exists to ensure that only authorized individuals or customers gain access to critical devices or services offered. This paper looks more closely at the banking industry by reviewing trends in transactions, infrastructures and consolidation using Two-factor authentication (2FA) with respect to Automated Teller Machine (ATM) and also examines the performance of the ATM.
AI-Enhanced Secure Mobile Banking System Utilizing Multi-Factor Authentication
International Journal of Experimental Research and Review, 2024
The increasing reliance on mobile banking has significantly heightened the need for robust security mechanisms to protect users from unauthorized access and fraudulent activities. As mobile banking continues to grow in popularity, safeguarding financial transactions and personal data becomes a top priority. This paper introduces an AI-enhanced secure mobile banking system that leverages Multi-Phase Authentication (MPA) to strengthen the authentication process. In this system, artificial intelligence is integrated with traditional authentication methods, creating a dynamic framework that assesses the risk level associated with each user interaction. Based on this real-time risk assessment, the system adjusts the authentication requirements, making them more stringent when higher risks are detected and more lenient when the risk is lower. This adaptive mechanism not only enhances the security of mobile banking by providing multiple layers of protection but also improves the user experience by reducing unnecessary authentication steps that can cause frustration and delay. The proposed system's effectiveness is validated through a series of simulations and case studies, which demonstrate significant improvements in key security metrics. These include a marked reduction in instances of fraud and lower false positive rates, which indicate that the system can accurately distinguish between legitimate and suspicious activities without imposing undue burden on users. Overall, the results of this study highlight the potential of AI-enhanced multi-phase authentication to provide a scalable and user-friendly solution for secure mobile banking. This approach represents a promising direction for the future of digital financial services, offering a balance between rigorous security and seamless user experience.
Proceedings 2015 Workshop on Usable Security, 2015
To prevent password breaches and guessing attacks, banks increasingly turn to two-factor authentication (2FA), requiring users to present at least one more factor, such as a one-time password generated by a hardware token or received via SMS, besides a password. We can expect some solutionsespecially those adding a token-to create extra work for users, but little research has investigated usability, user acceptance, and perceived security of deployed 2FA. This paper presents an in-depth study of 2FA usability with 21 UK online banking customers, 16 of whom had accounts with more than one bank. We collected a rich set of qualitative and quantitative data through two rounds of semi-structured interviews, and an authentication diary over an average of 11 days. Our participants reported a wide range of usability issues, especially with the use of hardware tokens, showing that the mental and physical workload involved shapes how they use online banking. Key targets for improvements are (i) the reduction in the number of authentication steps, and (ii) removing features that do not add any security but negatively affect the user experience.
Online Banking User Authentication Methods: A Systematic Literature Review
IEEE Access, 2023
Online banking has become increasingly popular in recent years, making it a target for cyberattacks. Banks have implemented various user authentication methods to protect their customers' online accounts. This paper reviews the state-of-the-art user authentication methods used in online banking and potential cyber threats. This paper starts by exploring different user authentication methods, such as knowledge-based authentication (KBA), biometrics-based authentication (BBA), possession-based authentication (PBA), and other methods. The advantages and disadvantages of each user authentication method are then discussed. Furthermore, the paper discusses the various cyber threats that can compromise user authentication for online banking systems, such as malware attacks, social engineering, phishing attacks, man-in-the-middle (MiTM) attacks, denial of service (DoS) attacks, session hijacking, weak passwords, keyloggers, SQL injection, and replay attacks. Also, the paper explores the user authentication methods used by popular banks, which can provide insights into best practices for safeguarding online banking accounts and future user authentication methods in online banking and cyber threats. It states that the increasing use of BBA, two-factor authentication (2FA), and multi-factor authentication (MFA) will help improve the security of online banking systems. However, the paper also warns that new cyber challenges will emerge, and banks need to be vigilant in protecting their customers' online banking accounts.
A Survey of Authentication and Communications Security in Online Banking
ACM Computing Surveys, 2017
A survey was conducted to provide a state of the art of online banking authentication and communications security implementations. Between global regions the applied (single or multifactor) authentication schemes differ greatly, as well as the security of SSL/TLS implementations. Three phases for online banking development are identified. It is predicted that mobile banking will enter a third phase, characterized by the use of standard web technologies to develop mobile banking applications for different platforms. This has the potential to make mobile banking a target for attacks in a similar manner that home banking currently is.
Lecture Notes in Computer Science, 2019
Two-factor authentication provides a significant improvement over the security of traditional password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. In this decade, single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentication, which is vulnerable to the offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against the aforementioned attacks in a provably secure manner. In this paper, for the first time, we implement the state-of-the-art mobilebased SPA system of Acar et al. (2013) as a prototype and assess its usability in a lab environment where we compare it against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). Our study shows that mobilebased SPA is as easy as, but less intimidating and more secure than twofactor authentication, making it a better alternative for online banking type deployments. Based on our study, we conclude with deployment recommendations and further usability study suggestions.