We were asked this question many times since we launched TextKey™ at Finovate this year. Why is TextKey’s™ Omni-factor Authentication™ better than the standard two-factor authentication systems? Here’s our answer:
- TextPower developed TextKey’s™ Omni-factor Authentication™ system using cellular carrier “short codes”. This is a more secure and robust method than using standard phone numbers because the carrier actually performs the first-level security check for us by confirming that the mobile number is, in fact, the number that is matched to the UDID of the device in their records. This eliminates spoofing of the number which can be a significant source of hacking.
- If there is a cross-device infection that injects, say, a remote control process that can take over the device’s sending of SMS messages the hacker will still have to know the user’s PIN and will be unaware of the short code to which the message must be sent until the one-time password (OTP) is displayed on the web page of the protected site. Malware that controls mobile-originated (MO) SMS is programmed to send text messages to a specific destination and thus our process defeats that type of malware.
- A hacker would have to be viewing the web page in realtime, see the OTP, know the user’s PIN in advance, see the destination to which the message must be sent and then direct the MO-SMS to that destination – all within the timeout period set by the host. This is, at the least, incredibly unlikely and is certainly significantly more difficult to hack than any other currently available solution.
- The browser is uninvolved in the process other than displaying the OTP requested from the TextKey servers. The website’s host requests a TextKey OTP via an API through a secure connection to our server which we then send to the website server for display. The website then displays that code. The subsequent process all occurs on a secure connection between the website host (our customer) and our server. Once the user sends the OTP, the system checks our server through this secure connection asking if we have received that OTP and, if so, whether it came from the expected mobile number. This happens on an SSL-protected connection between us and our customer and eliminates the browser from the authentication loop; therefore no man-in-the-middle or man-in-the-browser attacks can be utilized because there is no middle and no browser interaction.
In all other SMS-based authentication processes the “second” factor of authentication – the one-time-password – is the only additional layer of protection. The TextKey’s™ Omni-factor Authentication™ process verifies three factors – the UDID, the mobile number and the OTP – as our standard identity verification and adds the PIN (which can be up to 7 digits and either prepended or appended to the number depending on the choice of our customer or our customer’s end user) and the dynamically assigned destination as additional layers of protection.
In the final analysis TextKey’s™ Omni-factor Authentication™ is vastly superior to any other SMS-based authentication process for these reasons and we would be be happy to allow it to be scrutinized for validity. While the process may not be perfect it is so much better than other 2FA systems that we believe we have accomplished the main goal of any security process: making an intrusion so difficult compared to other systems that the hacker leaves and goes “next door” to an easier target.