One of the “strengths” of multi-factor authentication schemes has been the ability to authenticate users using two relatively independent schemes and thereby establish legitimate identity. One of the more common methods of doing it these days is using the ubiquitous SMS mechanism as a secondary authentication method. For instance, the user logs into a website with his username and password.   An SMS is sent to the previously registered mobile number of that user with a randomly generated string and the user is challenged to input this string, thereby validating the veracity of the individual, as he would need to be in possession of the device to be able to reproduce the secondary challenge factor.

Now look at today’s landscape. The smartphone is increasingly becoming the primary access method for all forms of communication – data, text, video etc.  So a user uses the browser on the smartphone to access a website with two-factor authentication enabled and successfully authenticates using the primary factor – username and password. That user  subsequently receives an SMS on the same device with the string to complete the two-factor authentication. All is well. Or is it ?

If you have been following the techosphere recently, you would have noticed an increase in the number of mobile targeted malware that is hitting many of the dominant smartphone operating systems, so the likelihood of smartphone indisposition is more than a figment of the imagination. Just imagine for a moment that the device actually has caught a virus er! malware    that is spying on all  browser communication as well as SMSs received --  it doesn’t take much to connect the dots. But let’s connect them anyway. The spyware that is watching browser activity identifies that the primary authentication using username and password has concluded.  The spyware captures this information as well as the fact that a secondary authentication technique using SMS is about to commence. It then starts to listen in on incoming SMSs and captures this as well (and possibly suppresses the receipt to the user who may think there is a delay and waits patiently for the SMS !). Finally, the spyware sends the username / password combination, as well as the SMS based secondary authentication string, to a command and control server which can then exploit this dual authentication mechanism to commence fraudulent activity !

Drat ! What is the cure to this new malady ? Watch this space !