A survey on multi-factor authentication for online banking in the wild

Abstract

In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.

Introduction

Over the last decade, the shift towards online businesses has gained momentum. A sector in which online services are becoming predominant is the banking sector, where most banks have started offering their services online. Online banking services allow customers to remotely access their bank accounts and financial data as well as to perform online payments and other financial transactions. These services are becoming increasingly popular among customers. According to Eurostat (2018), the number of European citizens using online banking services has doubled since 2007 and currently more than half of the European population use an online banking service daily.

Although online banking services provide evident benefits to both banks and customers, they introduce new security and privacy issues. Resources managed by online banking services are sensitive and, thus, they should be properly protected against theft and other attacks. A fundamental security measure for the protection of online resources is the employment of reliable (digital) authentication mechanisms, i.e., procedures that verify the digital identity of users and check their legitimacy. In this context, users have to exhibit an identity proof that can only be provided by the users themselves, thus deterring attackers from breaching their online resources. The most common identity proof consists of user credentials, i.e., username and password. However, they are often considered insufficient to achieve an adequate level of security and their use exposes users to several threats (Federal Financial Institutions Examination Council, 2007).

To tackle this problem, banks have started adopting Multi-Factor Authentication (MFA). MFA is based on a security protocol, called MFA protocol, that integrates the use of credentials with additional identity proofs (the so-called authentication factors). Authentication factors are based on either knowledge, possession or inherence. During the execution of an MFA protocol, authentication factors are provided through specific objects, called authenticators. Therefore, an attacker stealing user credential cannot execute an MFA protocol without also controlling the necessary authenticators.

When properly designed and implemented, MFA protocols provide strong security guarantees. Clearly, such guarantees can decay in case of a poor design. Designing security protocols is error-prone and many protocols implemented and deployed in real applications have been found flawed years later (Lowe, 1996). The design of an MFA protocol, especially if compared to the one of “standard” authentication protocols, is particularly challenging. Indeed, the type, number and order of employed authenticators, the associated authenticator factors and the employed communication channels have a significant impact on the security properties of MFA protocols. In addition, MFA protocols can be used to perform operations either from desktop computers (called Internet Payments - IP) or from mobile devices (called Mobile Payments - MP), requiring specific designs for tackling the different security assumptions underlying these end-points. The ease-of-use of an MFA protocol is also of paramount importance to assess its efficacy. As shown in Cristofaro et al. (2013), Krol et al. (2015) and Weir et al. (2010), the use of multiple authenticators in the execution of an MFA protocol can negatively affect user experience, which can have an impact on its security. On top of that, the preliminary phases of MFA, i.e., the registration of a new customer (called enrollment) and the binding of authenticators to users, require special attention to properly establish identity proofs and the associated user identity.

In order to regulate the design and adoption of MFA protocols and improve their security, a number of initiatives like FIDO (2017) and OATH Authentication have proposed to standardize MFA protocols. Moreover, public and private authorities have introduced regulations, directives and guidelines to steer their development and usage. For instance, the European Banking Authority (EBA) acknowledged the importance of MFA in the online banking context and, in 2013, issued directives and recommendations for online payment service (EBA, EBA). More recent payment service directives EBA (2015) and related regulatory technical standard (EBA, 2017) strongly bound online banking with MFA, explicitly stating the features that MFA protocols should support to be legitimately used for online banking. Similarly, other standardization bodies like the National Institute of Standards and Technology (NIST) NIST (2017) and Payment Card Industry (PCI) PCI (2017) have proposed a set of guidelines concerning the digital identity management through MFA. Similar initiatives are also carried out by private companies, which have started releasing their own guidelines (Centrify, Gemalto, PingIdentity).

In principle, these initiatives aim to guide the design of more secure and usable MFA protocols. However, the actual security and effectiveness of MFA remain uncertain. The main reason lies in the lack of a standardized approach in the adoption of MFA and in the consequent large number and heterogeneity of proprietary MFA protocols that emerged over the last years. The goal of this work is to understand the state of affairs in the adoption of MFA in the context of online banking services.

Our Contribution. This paper presents a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Our study mainly focuses on online banking in the European Union (EU) and is grounded on the EU legal framework. Nonetheless, it also analyzes the adoption of MFA by non-EU banks to provide a comparative benchmark and to obtain a more global view on state of affairs in the adoption of MFA in the banking sector.

For our study, we select 21 EU banks among those based in the first 7 countries for gross domestic product. As a reference with other important markets, we also select other 9 banks that are based in relevant countries (for the banking sector) but not subject to the EU legal framework, i.e., China, USA and Switzerland. For all banks, we review publicly available information (provided by the banks themselves) and collect data on the MFA protocols and authenticators as well as on the enrollment and binding procedures employed by each bank. The obtained dataset is used to investigate how MFA has been currently adopted by banks and evaluate their performances in terms of compliance with laws and best practices, resistance to attacker models and ease of use.

To evaluate the compliance of banks with laws and guidelines, we extract (i) relevant legal requirements from the EU regulations and directives concerning MFA (including recommendations for the security of Internet payments (EBA, 2013a), those for mobile payments (EBA, 2013b), the Payments Service Directive 2 (EBA, 2015) and the associated Regulatory Technical Standard (EBA, 2017)) and (ii) best practices from various documents, guidelines and white papers provided by NIST (NIST, 2017) and other relevant institutions in the online banking context (Centrify, Gemalto, PingIdentity).

The security of MFA protocols is evaluated by assessing their resistance against relevant attacker models. In particular, we adopt a classification of attacker models inspired to the classification proposed by NIST (2017) and define an algebraic approach to verify if an attacker model is able to compromise a given MFA protocol. To evaluate the ease-of-use of MFA protocols, we introduce a novel metric to assess the complexity of MFA protocols, i.e., the efforts required by users for their execution.

Moreover, we hypothesize that these criteria might not be independent from each other. To this end, we investigate whether these criteria are correlated. In particular, we investigate possible correlations between (i) the compliance with requirements and the complexity of MFA protocols, (ii) the compliance with requirements and the resistance of MFA protocols against attacks and (iii) the complexity of MFA protocols and their resistance against attacks.

Our study leads to several important insights. The analyzed banks tend to offer multiple MFA protocols to their customers, based on very different designs and employing different authenticators. However, the potential of authenticators and their security properties seem to be not fully understood yet. This has resulted in many complex MFA protocols that do not provide high security guarantees against attacks. In particular, the robustness of the analyzed MFA protocols against attacker models is, in general, lower than expected. However, we expect that the compliance with RTS (EBA, 2017), which will become in force in mid-2019, will improve the security level offered by MFA protocols.

Related Work. MFA is attracting increasingly attention in the banking sector and this has resulted in the design of several MFA protocols for online banking, which are summarized in a few surveys. These surveys usually provide a classification and a comparison of MFA protocols and implementations. Choubey and Choubey (2013) analyze the authentication mechanisms for IP employed by banks of 7 countries. In particular, the authors provide a classification of the adopted authenticators and emphasize the lack of a standardization in the design of MFA protocols. Kiljan et al. (2016) review the authentication and communications protocols for online banking adopted by 80 banks worldwide. This study provides an analysis of the temporal evolution of MFA protocols adopted by banks, together with a classification of the used authentication factors and MFA protocols for both IP and MP. The security of MFA protocols for IP is evaluated by analyzing the implementation of the underlying TLS/SSL mechanisms whereas the security of MFA protocols for MPs is not analyzed. Dmitrienko et al. (2014) analyze the security of 6 commonly used MFA protocols for MP. In particular, they identify the main weaknesses of these MFA protocols in terms of potential implementation errors and resistance to attacker models. Krol et al. (2015) analyze the usability and perceived security of the authentication mechanisms employed by 10 UK banks (for a total of 9 MFA protocols) through user studies. Similarly, Althobaiti (2016) evaluates the security and usability of MFA protocols based on questionnaires and field tests. Finally, it is worth mentioning that this work substantially extends (Sinigaglia et al., 2017), in which the authors pose the basis of the methodology used in this study.

The aforementioned studies differ from each other for the analyzed features and scope. Table 1 summarizes the main differences between those studies and our study. A primary difference is in the analyzed dataset and, in particular, in the number of banks and MFA protocols considered.

All surveys provide an analysis of MFA protocols along with the used authenticators, with the exception of the work in Choubey and Choubey (2013), which only provides a classification of authenticators without analyzing the protocols in which they are used. However, most surveys only analyze MFA protocols specific to one endpoint, with the majority considering protocols for IP. Our survey considers protocols for both IP and MP, since they might provide different security levels and user experience. Existing surveys also do not consider user enrollment and the binding of authenticators. Nevertheless, these phases can affect the overall security of an MFA protocol. Moreover, none of the previous works assesses the compliance of MFA solutions with laws and best practices. We claim that this aspect is also relevant, since often laws and best practices define a baseline for the security guarantees that an MFA protocol must provide.

Security aspects of MFA protocols are considered by most surveys, but at a different level compared to our work. For instance, some surveys (Dmitrienko, Liebchen, Rossow, Sadeghi, 2014, Kiljan, Simoens, De Cock, Eekelen, Vranken, 2016) analyze weaknesses in MFA implementations, whereas others (Althobaiti, 2016, Krol, Philippou, Cristofaro, Sasse, 2015) focus on the security of MFA protocols perceived by users. In contrast to these studies, our work evaluates the security of MFA protocols by assessing their robustness against some attacker models. This analysis aims to compare MFA protocols in terms of resistance to well defined attack scenarios. At the best of our knowledge, the only other proposal considering an attacker model for MFA protocols is Dmitrienko et al. (2014). However, their attacker model only considers the MP context.

Moreover, only a few surveys (Althobaiti, 2016, Krol, Philippou, Cristofaro, Sasse, 2015) evaluate the usability of MFA protocols. However, differently from those surveys that evaluate perceived usability and user satisfaction of MFA protocols through user studies, we focus on the efficiency of MFA protocols and propose an “objective” measurement of the complexity of MFA protocols, which can be computed from the dataset at hand. Finally, our survey is the only one that aim to discover correlations between compliance with laws and best practices, security and usability aspects. Leveraging this investigation, we are able to verify how the different features of MFA protocols and their compliance with laws and best practices are realized along with their effects.

Structure of the paper. The remainder of the paper is structured as follows. Section 2 provides background knowledge on MFA. Section 3 presents the requirements and best practices extracted from directives and regulations. Section 4 presents our methodology. In particular, we present a description of our dataset along with the selected features and the research questions along with the evaluation criteria. Section 5 presents and discusses the obtained results, with a specific focus on the compliance of banks with requirements and best practices, along with a security and usability evaluation of MFA protocols. Section 6 discusses potential threats that may have undermined the obtained results. Finally, Section 7 presents lessons learned and open challenges and Section 8 concludes the paper.