DEV Community: Fitzwilliam Anderson

Should Twitter Charge for SMS 2FA If a Better Option Already Exists?

Fitzwilliam Anderson — Fri, 07 Apr 2023 16:00:00 +0000

Can you put a price tag on security? According to Twitter executives, you can. For $8 a month, the cost of Twitter’s premium service Twitter Blue, customers can continue to enjoy the added security benefits of 2-factor authentication. Users who do not subscribe to Twitter Blue will be booted from phone-number based 2FA, a service that was previously free, in 30 days. The product announcement has caused controversy for the social media giant, raising concerns from privacy advocates, eliciting mixed reviews from the cybersecurity community, and causing widespread confusion among Twitter users.

Here’s an excerpt from Twitter’s official announcement:

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers.”

When announcing its plan to make SMS-based 2FA a paid feature, Twitter took the unorthodox approach of highlighting the very legitimate limitations of phone-number based 2FA rather than highlighting its benefits. In this brief excerpt, Twitter (1) describes 2FA as popular, (2) admits that 2FA can be “used and abused by bad actors,” and (3) announces a plan to limit 2FA to paying customers only. No wonder why folks are confused!

Is there a method to the madness? To find out, we’ll dive into both the strengths and weaknesses of SMS-based 2FA, take a look at the macroeconomic pressures informing Twitter’s decision to begin charging for the service, and finally study the potential implications of this bold move on the digital authentication landscape at large.

Why has phone-number based 2FA been “historically popular”?

Two-factor authentication is a common subset of Multi-Factor Authentication (MFA). In Twitter’s case, the user’s first credential is their username and password. If they have 2FA activated, the user’s second credential is a unique string of numbers known as a one-time passcode that is sent to their registered phone via SMS. At Prove, we call this ‘running a possession check.’

Phone-number based 2FA is popular because it doesn’t require the user to download an authentication app. It’s as simple as receiving an SMS. Unfortunately, as the Twitter statement rightly pointed out, 2FA also has some major security vulnerabilities.

What are the limitations of SMS-based 2FA?

Despite their popularity, SMS-based 2FA has security vulnerabilities that are worth noting as fraudsters have developed a playbook to steal a victim’s OTP via a SIM swap fraud.

With SIM swap attacks, fraudsters can surreptitiously take over a victim’s phone, intercept the OTP, and successfully enter into a victim’s account in just minutes. There are multiple reports outlining the devastating effects of SIM swap fraud on a victim’s life.

SIM swap attacks are a common way for fraudsters to bypass many MFA flows by intercepting OTPs. A study by Prove, which analyzed over 385,000 SMS and voice OTP-based transactions across industries, found that 5% of them had low SIM tenure, indicating a high possibility of a recent SIM swap or an account takeover. Another recent study on the top five US prepaid carriers highlighted that 80% of SIM swap attacks were successful because of authentication vulnerabilities.

If SMS-based 2FA is vulnerable to attack, why is Twitter turning it into a paid feature?

For the money, of course. As their old model of ad revenue implodes, the social media giants are searching for new ways to cut costs and boost revenue. Charging users for 2FA achieves both these goals.

Cutting Costs: The cost of generating these OTPs and sending them via SMS can be significant. In December, Musk aired his grievances against the telcos and the fees they impose on Twitter Spaces:

“…I discovered this, basically, about 10 days ago, that Twitter was being scammed to the tune of 60 million dollars a year for SMS texts, not counting North America… Basically, there are telcos who are not being super honest out there, in other parts of the world, who were basically gaming the system and running, like, two-factor authentication SMS texts over and over again, and just creating a zillion bot accounts to literally run up the tab so that Twitter would SMS text them, and Twitter would pay them millions of dollars, without even asking about it.”

If bots outside of North America were costing Twitter $60 million annually, imagine how expensive the entire 2FA program is overall. Although most companies consider MFA simply the cost of doing business in the modern age, the difficult economic environment for tech companies is causing many CEOs to search for savings everywhere. It’s no coincidence that the shift toward passwordless technology has accelerated in the past year across industries, resulting in many companies achieving savings by eliminating pricey OTPs, bolstering security, and improving user experience.

Boosting Revenue: By folding SMS-based 2FA into Twitter Blue rather than phasing it out entirely, Twitter is betting that the added security benefits will entice new customers to pay for its premium service. While charging customers for services that were previously free is never going to win you any popularity contests, Twitter charging users for 2FA is a bit like General Motors charging drivers for seat belts.

Of course, Twitter is far from the only company searching for ways to monetize digital identity. Meta is now selling verified blue checks on Facebook and Instagram for $11.99 a month on the web or US$14.99 on iOS and Android.

Closing Thought

Twitter's decision to charge consumers for SMS-based 2FA is a great example of doing the right thing for the wrong reason. By disabling 2FA for the vast majority of their customers who do not pay for the premium service, Twitter is phasing out a security service that has long had major security vulnerabilities. This should be celebrated. That being said, removing 2FA is easy compared to what happens next. To improve security, Twitter should go passwordless and replace OTPs with a more sophisticated, more powerful solution like Prove Auth. Ultimately, removing even an imperfect solution like SMS-based 2FA without a plan to replace it with better technology is irresponsible and could result in a bonanza for fraudsters. If the phasing out of SMS-based 2FA results in increased fraud, the resulting PR nightmare will far outweigh the cost of sending out OTPs.

What is Cryptographic Authentication and Why Are Leading Companies Moving Away from Risk-Based Authentication?

Fitzwilliam Anderson — Tue, 04 Apr 2023 16:00:00 +0000

As fraud continues to rise and customer expectations for frictionless experiences continue to increase, more and more companies are upgrading outdated risk-based identity authentication technology to more advanced methods such as cryptographic authentication. In this blog post, we’ll explain what cryptographic authentication is and how it is making customer experiences faster and easier while also mitigating more fraud. If you are already familiar with the basics of cryptographic authentication, feel free to skip ahead to the “What is Risk-Based Authentication and Why is Cryptographic Authentication Better?” section or the proof points section at the end of this post.

What is Cryptographic Authentication?

Cryptographic authentication (AKA key-based authentication) allows relying parties (financial institutions, companies, and governments) to trust that the data asserted by users during authentication and verification events is actually true by leveraging cryptography as the source of truth.

Cryptography refers to the science of writing or solving codes. Encryption, “the application of cryptography,” is “the process of converting plain text into a cipher, which can’t be figured out without a key.” Think of the phone number (more specifically, the unique serial number found on every SIM card) as the key used to unlock the encrypted data contained in Prove’s tokens.

What is Risk-Based Authentication and Why is Cryptographic Authentication Better?

Risk-based authentication (RBA) utilizes machine learning techniques and data to assess the level of risk behind a particular transaction. In short, it uses data from past behavior to predict future behavior. Today, risk-based authentication is the predominant way companies determine whether or not an authentication event or transaction is legitimate or should be flagged.

‍While RBA has grown more sophisticated by incorporating more advanced machine learning techniques to analyze new types of data (IP addresses, historical transaction velocities, and consumer spend profile), it suffers from a fatal flaw: regardless of how sophisticated the machine learning tools are, they are susceptible to inaccurate data sources which can lead to inaccurate predictions.

If Risk-Based Authentication (RBA) has grown more sophisticated, why is fraud increasing?

First, some context. As more transactions become digital, there will be both a greater volume of transactions and a larger pool of money in aggregate that is at risk of fraud. The shift toward digital transactions as the primary way of conducting business gives bad actors both more opportunities and greater incentives. After congress raced to make hundreds of billions of dollars’ worth of Pandemic Unemployment Assistance payments available, for example, fraudsters quickly followed suit and siphoned off an estimated $87 billion.

‍That being said, the limitations of risk-based authentication are also contributing significantly to the rising rates of fraud. The Achilles heel of RBA can best be summarized by an old computer science adage: garbage in, garbage out.

‍Imagine you are pulling your credit score. In order to pull a credit score, you need to present personally identifiable information (PII) that, in theory, only you should know (your SSN, for example). Unfortunately, we live in a digital environment where PII is easy to access as a result of large and frequent data breaches. Once a fraudster has your data, they can pull your credit report and even add fake data to your various online credit profiles, creating a synthetic identity without your knowledge. RBAs will then analyze these synthetic identities (garbage in) and make inaccurate risk-based assessments (garbage out).

Why is Cryptographic Authentication Better?

Cryptographic authentication is needed to ensure that the data fed into machine-learning systems is tied to the consumer and not a bad actor.

‍Prove accomplishes this by ensuring that the identity of the consumer is cryptographically authenticated prior to trusting the information that is submitted. We do this using a variety of methods – for example, by requiring the consumer to prove possession of a known phone number. By running a possession check, Prove implicitly links the consumer’s SIM card’s authentication to the cellular network to ensure the company is talking to the right person.

‍To use the credit score example again, Prove can easily stop the bad actor from pulling a victim's credit score even if the bad actor knows all the relevant information about the victim. This is achieved by forcing an authentication to a known cryptographic key (such as a phone number) into the transaction flow. This is the reason Prove has focused significantly on phones and phone numbers as a means of authentication. However, this overall approach is not limited to phones or phone numbers but rather the usage of a cryptographic key tied to a person.

What are the benefits of leveraging the mobile phone to conduct cryptographic authentication?

Phone-Centric Identity™, also known as Mobile Identity, Device Intelligence, or Phone Intelligence, refers to technology that leverages and analyzes mobile, telecom, and other signals for the purposes of identity verification, identity authentication, and fraud prevention. It’s key to conducting cryptographic authentication.

‍‍Phone-Centric Identity™ relies on billions of signals from authoritative sources pulled in real-time, making it a powerful proxy for digital identity and trust. If you think about how many people have mobile phones, how long they have had them, and how often they use them, it’s clear why Phone-Centric Identity signals are highly correlated with identity and trustworthiness.

The above chart from a McKinsey report entitled “Fighting Back Against Synthetic Identity Fraud” shows that profiles with higher depth (how far back the data goes) and consistency (how often the same data is seen) had a lower risk of being fraudulent. Phone-Centric Identity™ signals—which include phone line tenure; phone behavior such as calls, texts, logins, and ad views; phone line change events as ports, snap-backs, true disconnects, and phone number changes; phone number account takeovers such as SIM swaps; and velocity and behavior of change events—are both high-depth and high-consistency.

‍For example, Phone-Centric Identity™ signals for a given consumer typically go back many years (high-depth), given that most consumers now open phone accounts at a relatively young age. In fact, 50% of 11-year-olds now have a phone number (Source: The Common Sense Census: Media Use by Tweens and Teens). In terms of consistency, Phone-Centric Identity™ signals provide one of the best views into whether a consumer’s activity is inconsistent with their regular activity, signaling potentially suspicious behavior.

‍This stands in stark contrast to social security numbers or passwords, which can be easily purchased on the dark web by hackers and used to break into a consumer’s account. In order to break Phone-Centric Identity™-based verification and authentication, a fraudster would need to buy a phone in the victim’s name, pay for it for years, and use it to make calls and log into apps every day to mimic the victim’s behavior. While this is possible, it certainly isn’t scalable or worth most criminals’ time.

The Unique "Possession" Factor

Phone-Centric Identity™ also uniquely utilizes the mobile device as a “what you have” factor that companies can use to deterministically say whether they are interacting with their customer or not. This check, often referred to as a “possession” check, returns a binary result as opposed to a probabilistic score. By understanding whether a consumer is in physical possession of their mobile device or not, Phone-Centric Identity™ technology can return a yes or no answer about whether a company is interacting with their customer or someone else.

Enhanced Customer Experience and Privacy

Phones also have built-in, passive authentication, encryption, and privacy. By applying Phone-Centric Identity™ technology to web, app, mobile, chat, call center, and even in-person interactions, companies can give their customers a safer, easier, and faster experience. The consumer does not need to download a separate app or purchase a physical hardware token to authenticate themselves, and the process can often take place invisibly and seamlessly through their existing mobile device.

‍Opening new accounts, logging in, resetting passwords, moving money, or calling a contact center for support can all feel as effortless as sending a text or making a phone call. Contrast that feeling to the one your customers experience when they need to answer security questions or fumble with easy-to-forget passwords, and it’s easy to see why Phone-Centric Identity™/Mobile Identity is becoming the modern and preferred way to prove identity.

Proof Points: How Prove’s cryptographic authentication model enabled a leading card issuer to significant uplift in revenue, reduced fraud, and a streamlined experience.

When companies adopt Prove’s cryptographic authentication, pass rates for legitimate customers increase while fraud decreases significantly.

The graphs that follow are based on the analysis of nearly 200,000 customer transactions from January to April 2021 and 1,000+ fraudulent transactions from June 2019 to June 2021.

When holding the acceptable fraud rate at 3.3 basis points (bps) or 3.3 fraud occurrences out of 10,000 transactions, Prove’s combination of cryptography and Machine Learning is expected to provide an 92% pass rate versus the 77% achieved by RBA alone. One financial services company that implemented Prove’s cryptographic authentication model commented:

‍"With the help of Prove's cryptographic authentication model, Synchrony has achieved a substantial increase in approved accounts, through higher completion and approval rates, with only a fraction of the fraud, when compared to our legacy approach. Importantly, Prove has contributed to a more streamlined customer experience, reduced fraud and provided a significant uplift in revenue."

Mylene Pedone, SVP of Digital Credit & Authentication at Synchrony

The next graph shows the fraud capture rate versus the review rate as an alternative way of illustrating the power of adding machine learning to cryptography. It shows that within the 10% riskiest portion of the population, Prove’s model can capture 57% of the fraud versus the RBA’s 45%.

As illustrated by the graphs, cryptographic authentication provides companies with a smarter way to calculate risk and prevent fraud.

‍Interested in learning more about how cryptographic authentication can help you reduce your company’s fraud rates while boosting pass rates? Contact us to speak with an expert.