A survey on multi-factor authentication for online banking in the wild
Introduction
Over the last decade, the shift towards online businesses has gained momentum. A sector in which online services are becoming predominant is the banking sector, where most banks have started offering their services online. Online banking services allow customers to remotely access their bank accounts and financial data as well as to perform online payments and other financial transactions. These services are becoming increasingly popular among customers. According to Eurostat (2018), the number of European citizens using online banking services has doubled since 2007 and currently more than half of the European population use an online banking service daily.
Although online banking services provide evident benefits to both banks and customers, they introduce new security and privacy issues. Resources managed by online banking services are sensitive and, thus, they should be properly protected against theft and other attacks. A fundamental security measure for the protection of online resources is the employment of reliable (digital) authentication mechanisms, i.e., procedures that verify the digital identity of users and check their legitimacy. In this context, users have to exhibit an identity proof that can only be provided by the users themselves, thus deterring attackers from breaching their online resources. The most common identity proof consists of user credentials, i.e., username and password. However, they are often considered insufficient to achieve an adequate level of security and their use exposes users to several threats (Federal Financial Institutions Examination Council, 2007).
To tackle this problem, banks have started adopting Multi-Factor Authentication (MFA). MFA is based on a security protocol, called MFA protocol, that integrates the use of credentials with additional identity proofs (the so-called authentication factors). Authentication factors are based on either knowledge, possession or inherence. During the execution of an MFA protocol, authentication factors are provided through specific objects, called authenticators. Therefore, an attacker stealing user credential cannot execute an MFA protocol without also controlling the necessary authenticators.
When properly designed and implemented, MFA protocols provide strong security guarantees. Clearly, such guarantees can decay in case of a poor design. Designing security protocols is error-prone and many protocols implemented and deployed in real applications have been found flawed years later (Lowe, 1996). The design of an MFA protocol, especially if compared to the one of “standard” authentication protocols, is particularly challenging. Indeed, the type, number and order of employed authenticators, the associated authenticator factors and the employed communication channels have a significant impact on the security properties of MFA protocols. In addition, MFA protocols can be used to perform operations either from desktop computers (called Internet Payments - IP) or from mobile devices (called Mobile Payments - MP), requiring specific designs for tackling the different security assumptions underlying these end-points. The ease-of-use of an MFA protocol is also of paramount importance to assess its efficacy. As shown in Cristofaro et al. (2013), Krol et al. (2015) and Weir et al. (2010), the use of multiple authenticators in the execution of an MFA protocol can negatively affect user experience, which can have an impact on its security. On top of that, the preliminary phases of MFA, i.e., the registration of a new customer (called enrollment) and the binding of authenticators to users, require special attention to properly establish identity proofs and the associated user identity.
In order to regulate the design and adoption of MFA protocols and improve their security, a number of initiatives like FIDO (2017) and OATH Authentication have proposed to standardize MFA protocols. Moreover, public and private authorities have introduced regulations, directives and guidelines to steer their development and usage. For instance, the European Banking Authority (EBA) acknowledged the importance of MFA in the online banking context and, in 2013, issued directives and recommendations for online payment service (EBA, EBA). More recent payment service directives EBA (2015) and related regulatory technical standard (EBA, 2017) strongly bound online banking with MFA, explicitly stating the features that MFA protocols should support to be legitimately used for online banking. Similarly, other standardization bodies like the National Institute of Standards and Technology (NIST) NIST (2017) and Payment Card Industry (PCI) PCI (2017) have proposed a set of guidelines concerning the digital identity management through MFA. Similar initiatives are also carried out by private companies, which have started releasing their own guidelines (Centrify, Gemalto, PingIdentity).
In principle, these initiatives aim to guide the design of more secure and usable MFA protocols. However, the actual security and effectiveness of MFA remain uncertain. The main reason lies in the lack of a standardized approach in the adoption of MFA and in the consequent large number and heterogeneity of proprietary MFA protocols that emerged over the last years. The goal of this work is to understand the state of affairs in the adoption of MFA in the context of online banking services.
Our Contribution. This paper presents a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Our study mainly focuses on online banking in the European Union (EU) and is grounded on the EU legal framework. Nonetheless, it also analyzes the adoption of MFA by non-EU banks to provide a comparative benchmark and to obtain a more global view on state of affairs in the adoption of MFA in the banking sector.
For our study, we select 21 EU banks among those based in the first 7 countries for gross domestic product. As a reference with other important markets, we also select other 9 banks that are based in relevant countries (for the banking sector) but not subject to the EU legal framework, i.e., China, USA and Switzerland. For all banks, we review publicly available information (provided by the banks themselves) and collect data on the MFA protocols and authenticators as well as on the enrollment and binding procedures employed by each bank. The obtained dataset is used to investigate how MFA has been currently adopted by banks and evaluate their performances in terms of compliance with laws and best practices, resistance to attacker models and ease of use.
To evaluate the compliance of banks with laws and guidelines, we extract (i) relevant legal requirements from the EU regulations and directives concerning MFA (including recommendations for the security of Internet payments (EBA, 2013a), those for mobile payments (EBA, 2013b), the Payments Service Directive 2 (EBA, 2015) and the associated Regulatory Technical Standard (EBA, 2017)) and (ii) best practices from various documents, guidelines and white papers provided by NIST (NIST, 2017) and other relevant institutions in the online banking context (Centrify, Gemalto, PingIdentity).
The security of MFA protocols is evaluated by assessing their resistance against relevant attacker models. In particular, we adopt a classification of attacker models inspired to the classification proposed by NIST (2017) and define an algebraic approach to verify if an attacker model is able to compromise a given MFA protocol. To evaluate the ease-of-use of MFA protocols, we introduce a novel metric to assess the complexity of MFA protocols, i.e., the efforts required by users for their execution.
Moreover, we hypothesize that these criteria might not be independent from each other. To this end, we investigate whether these criteria are correlated. In particular, we investigate possible correlations between (i) the compliance with requirements and the complexity of MFA protocols, (ii) the compliance with requirements and the resistance of MFA protocols against attacks and (iii) the complexity of MFA protocols and their resistance against attacks.
Our study leads to several important insights. The analyzed banks tend to offer multiple MFA protocols to their customers, based on very different designs and employing different authenticators. However, the potential of authenticators and their security properties seem to be not fully understood yet. This has resulted in many complex MFA protocols that do not provide high security guarantees against attacks. In particular, the robustness of the analyzed MFA protocols against attacker models is, in general, lower than expected. However, we expect that the compliance with RTS (EBA, 2017), which will become in force in mid-2019, will improve the security level offered by MFA protocols.
Related Work. MFA is attracting increasingly attention in the banking sector and this has resulted in the design of several MFA protocols for online banking, which are summarized in a few surveys. These surveys usually provide a classification and a comparison of MFA protocols and implementations. Choubey and Choubey (2013) analyze the authentication mechanisms for IP employed by banks of 7 countries. In particular, the authors provide a classification of the adopted authenticators and emphasize the lack of a standardization in the design of MFA protocols. Kiljan et al. (2016) review the authentication and communications protocols for online banking adopted by 80 banks worldwide. This study provides an analysis of the temporal evolution of MFA protocols adopted by banks, together with a classification of the used authentication factors and MFA protocols for both IP and MP. The security of MFA protocols for IP is evaluated by analyzing the implementation of the underlying TLS/SSL mechanisms whereas the security of MFA protocols for MPs is not analyzed. Dmitrienko et al. (2014) analyze the security of 6 commonly used MFA protocols for MP. In particular, they identify the main weaknesses of these MFA protocols in terms of potential implementation errors and resistance to attacker models. Krol et al. (2015) analyze the usability and perceived security of the authentication mechanisms employed by 10 UK banks (for a total of 9 MFA protocols) through user studies. Similarly, Althobaiti (2016) evaluates the security and usability of MFA protocols based on questionnaires and field tests. Finally, it is worth mentioning that this work substantially extends (Sinigaglia et al., 2017), in which the authors pose the basis of the methodology used in this study.
The aforementioned studies differ from each other for the analyzed features and scope. Table 1 summarizes the main differences between those studies and our study. A primary difference is in the analyzed dataset and, in particular, in the number of banks and MFA protocols considered.
All surveys provide an analysis of MFA protocols along with the used authenticators, with the exception of the work in Choubey and Choubey (2013), which only provides a classification of authenticators without analyzing the protocols in which they are used. However, most surveys only analyze MFA protocols specific to one endpoint, with the majority considering protocols for IP. Our survey considers protocols for both IP and MP, since they might provide different security levels and user experience. Existing surveys also do not consider user enrollment and the binding of authenticators. Nevertheless, these phases can affect the overall security of an MFA protocol. Moreover, none of the previous works assesses the compliance of MFA solutions with laws and best practices. We claim that this aspect is also relevant, since often laws and best practices define a baseline for the security guarantees that an MFA protocol must provide.
Security aspects of MFA protocols are considered by most surveys, but at a different level compared to our work. For instance, some surveys (Dmitrienko, Liebchen, Rossow, Sadeghi, 2014, Kiljan, Simoens, De Cock, Eekelen, Vranken, 2016) analyze weaknesses in MFA implementations, whereas others (Althobaiti, 2016, Krol, Philippou, Cristofaro, Sasse, 2015) focus on the security of MFA protocols perceived by users. In contrast to these studies, our work evaluates the security of MFA protocols by assessing their robustness against some attacker models. This analysis aims to compare MFA protocols in terms of resistance to well defined attack scenarios. At the best of our knowledge, the only other proposal considering an attacker model for MFA protocols is Dmitrienko et al. (2014). However, their attacker model only considers the MP context.
Moreover, only a few surveys (Althobaiti, 2016, Krol, Philippou, Cristofaro, Sasse, 2015) evaluate the usability of MFA protocols. However, differently from those surveys that evaluate perceived usability and user satisfaction of MFA protocols through user studies, we focus on the efficiency of MFA protocols and propose an “objective” measurement of the complexity of MFA protocols, which can be computed from the dataset at hand. Finally, our survey is the only one that aim to discover correlations between compliance with laws and best practices, security and usability aspects. Leveraging this investigation, we are able to verify how the different features of MFA protocols and their compliance with laws and best practices are realized along with their effects.
Structure of the paper. The remainder of the paper is structured as follows. Section 2 provides background knowledge on MFA. Section 3 presents the requirements and best practices extracted from directives and regulations. Section 4 presents our methodology. In particular, we present a description of our dataset along with the selected features and the research questions along with the evaluation criteria. Section 5 presents and discusses the obtained results, with a specific focus on the compliance of banks with requirements and best practices, along with a security and usability evaluation of MFA protocols. Section 6 discusses potential threats that may have undermined the obtained results. Finally, Section 7 presents lessons learned and open challenges and Section 8 concludes the paper.
Section snippets
Background
In this section, we introduce the main concepts related to Multi-Factor Authentication (MFA) in payment services. Our study of the literature has shown the lack of a common and consistent terminology in the field. Among the others (Armando, Carbone, Zanetti, 2013, DeFigueiredo, 2011, Furst, Lang, Nolle, 2000, Hao, Clarke, 2012, Kennedy, Millard, 2016, Sciarretta, Carbone, Ranise, Viganò, 2018), we have identified two main authoritative bodies, namely the National Institute of Standards and
Requirements and best practices
Several public and private stakeholders have defined requirements and best practices for the implementation of MFA systems. In this section, we identify and list the ones that are relevant for this study. A summary of the identified requirements and best practices is presented in Tables 2 and 3, respectively. There, we use , and to denote whether a statement is fully, partially or not defined by a certain source. The requirements and best practices will drive our
Methodology
In this section we present the methodology that we adopted for the analysis of MFA solutions adopted by banks.
Results
In this section, we present the results of our investigation. In particular, we answer the research questions introduced in Section 4.1 by means of the data and criteria discussed in Sections 4.2 and 4.3, respectively. Moreover, we verify whether the hypotheses presented in Section 4.4 hold.
Threats to validity and generality
In this section we list the limitations of our study and discuss their potential impact on the validity of our work. We distinguish between four types of threats, namely internal, external, construct and conclusion. We also discuss to what extent our methodology can be generalized to other application domains.
Internal threats
Internal threats to validity are mostly related to our bank and, thus, MFA protocol dataset. We obtained all information relevant and necessary for the analysis from the
Lessons learned
In this section we summarize our findings and provide lessons learned that should be taken into account when designing MFA implementations.
Lack of standardization brings high variety of MFA protocols. Our study revealed that banks often offer several MFA protocols, which can be very different from each other. As shown in Section 5.1, these protocols vary for the employed authenticators and AFs, input/output data items and data channels, providing different levels of security and complexity. One
Conclusion
This study has investigated the current situation regarding the adoption of MFA in the online banking context. In particular, we analyzed the MFA solutions adopted by 30 banks operating in different countries with respect to their compliance with laws and guidelines, their robustness against well-established attacker models and complexity.
Although MFA promises high security guarantees, our study shows that the security level offered by MFA protocols currently employed by banks is not as high as
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This work has been partially supported by the FINSEC Project (Grant No. 786727) – Integrated Framework for Predictive and Collaborative Security of Financial Infrastructures and by the H2020 Project SPARTA – Strategic Programs for Advanced Research and Technology in Europe (Grant No. 830892).
Federico Sinigaglia received his MSc Degree in Computer Engineering at the University of Genoa, Italy, in March 2015. He is a PhD student at the University of Genoa, working in the Security & Trust Research Unit of Fondazione Bruno Kessler in Trento (Italy). His research interests are security protocols, authentication procedures and mobile security.
References (47)
- et al.
A survey of authentication and communications security in online banking
ACM Comput. Surv.
(2016) - et al.
Usable security: user preferences for authentication methods in ebanking and the effects of experience
Interact. Comput.
(2010) Assessing Usable Security of Multifactor Authentication
(2016)- Android Developers Documentation. Android guides - protect against security threats with safetynet. a....
- Android Developers Documentation. Android guides - security tips. b....
- Android Developers Documentation. Android guides - security with HTTPS and SSL. c....
- et al.
Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols
Network and System Security, LNCS 7873
(2013) - BankID. Electronic identification solution....
SUS: a quick and dirty usability scale
Usability Evaluation in Industry
(1996)- Centrify. Best practices for multi-factor authentication. 2016....
Secure user authentication in internet banking: aqualitative survey, international journal of innovation
Manag. Technol.
Two-factor or not two-factor? a comparative usability study of two-factor authentication
CoRR
The case for mobile two-factor authentication
IEEE Secur. Privacy
Security analysis of mobile two-factor authentication schemes
Intel Technol. J.
Cited by (43)
Evaluation of machine learning methods for impostor detection in web applications
2023, Expert Systems with ApplicationsRole of authentication factors in Fin-tech mobile transaction security
2023, Journal of Big DataA fuzzy MCDM decision-making model for m-banking evaluations: comparing several m-banking applications
2023, Journal of Ambient Intelligence and Humanized ComputingA Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure
2023, Future Internet
Federico Sinigaglia received his MSc Degree in Computer Engineering at the University of Genoa, Italy, in March 2015. He is a PhD student at the University of Genoa, working in the Security & Trust Research Unit of Fondazione Bruno Kessler in Trento (Italy). His research interests are security protocols, authentication procedures and mobile security.
Roberto Carbone is a researcher of the Security & Trust research unit of Fondazione Bruno Kessler in Trento, Italy, since 2010. He received his PhD from the University of Genova in 2009. His PhD Thesis, titled “LTL Model-Checking for Security Protocols”, has been warded the CLUSIT prize 2010 by the Italian Association for Information Security. His research focuses on the formal analysis of security protocols and services.
Gabriele Costa is assistant professor at the System Modelling and Analysis (SysMA) unit of IMT School for advanced studies in Lucca, Italy, since 2017. He received his PhD from the University of Pisa in 2012. He was previously assistant professor at the University of Genoa and he worked as researcher for the Institute of Informatics and Telematics of the National Research Council of Italy (CNR). His research interests are focused on the application of the formal methods to the cybersecurity.
Nicola Zannone received his Ph.D. degree in computer science at the University of Trento, Italy, in 2007. He is an associate professor in the Security Group at the Eindhoven University of Technology, the Netherlands. His research interests include computer security, data protection, access control and formal methods.