Web Authentication is an application programming interface (API) that allows a user to access their data without reliance on a phone number or email account. As part of two-factor or multi-factor authentication, the WebAuthn API is associated with the user’s physical device. The system provides a higher level of security than that offered by the practice of sending codes to SIMs.
MFA and 2FA
Two-factor authentication (2FA) and multi-factor authentication (MFA) have become essential in a world where cybercrime is developing at an equal rate with technology. MFA and 2FA are based on the principle of providing more than one method of authentication. The more layers of security you have, the harder it is for criminals to access your property and your data.
If someone is in possession of your credit card, they can steal from you by purchasing goods (in transactions up to £45 at a time); contactless payments, up to £45, require single-factor authentication – something you (or they) have. However, in order to steal your cash from a cashpoint, the thief must also use your PIN; cash withdrawals require two-factor authentication – something you (or they) have and something you (or they) know. Multi-factor authentication provides an additional layer of security; sometimes this third factor takes the form of a biometric – something you are – but it’s very often a one-time code sent to your device via email or phone.
SIM swap scam
SIM swapping is one of those crimes executed by criminals with an in-depth understanding of the human psyche and a well-honed ability to manipulate. These individuals also have the confidence and charm to carry out their crimes through direct communication, and they have no conscience. This type of crime is typically the speciality of a psychopath.
When a phone is lost or stolen, a service provider will sometimes transfer the number to a different SIM (subscriber identity module). The transfer depends, of course, on identity verification, so the fraudster’s first step is to gather personal information about their victim. This is done by purchasing information from organised criminals, stalking on social media, or via social engineering.
Social engineering is a wide subject, and not confined to criminal activity.
In the context of fraud, social engineering can take the form of phishing emails, which impersonate a legitimate individual or organisation. The victim is coerced, through a sense of compassion, fear, or confusion, into providing information or clicking on a malicious link. Voice phishing (vishing) and SMS phishing (smishing) are similar ways of extracting personal details from a victim.
In possession of the victim’s personal details, the fraudster contacts the phone company. Impersonating the victim, the fraudster claims that their phone has been lost, and please could the number be ported to a new SIM. If this deception is successful, the victim’s phone will lose signal and their login codes will be sent to the criminal’s SIM.
Phone numbers were not intended to be a way of identifying someone’s identity
App developers need a universal identifier, and in a free world that baulks at compulsory ID, the phone number is the next best thing. Unfortunately, the phone number is not ever so secure. Allison Nixon, from the security company Flashpoint says:
“Phone numbers were never intended to be a way to confirm someone’s identity. Phone companies were never in the business to sell identity documents. It was imposed on them.”
The imposition is being lifted, at last, by an API called Web Authentication.
WebAuthn by W3C and FIDO
The Web Authentication (WebAuthn) API (application programming interface) was developed by the W3C (World Wide Web Consortium), which is the main international standards organisation for the World Wide Web, and FIDO (fast identity online) Alliance, whose mission is to develop and promote authentication standards that will reduce reliance on passwords.
Web Authentication allows users to log into their services by means of communication between the user’s security device and their services’ websites. Security devices include, among others: software-based authenticators, such as Google Authenticator or Microsoft Authenticator phone apps; and little fobs that connect to your device via USB. The chief property of these security devices is that they’re associated with your physical device, rather than a phone number or email account.
Contact Fortify247
Fortify247, by PCSimple, provides dedicated cybersecurity services. To talk to us about Web Authentication and other ways to protect your networks, email Clive at [email protected] or give us a call on 01263 805012. Alternatively fill in the contact form and we’ll be in touch.
Article produced for and on behalf of PCSimple/Fortify247 by Folio Copywriting.