SMS two-factor authentication dead in 3 years: NAB

SMS-delivered two-factor authentication will be dead in three years, according to National Australia Bank's general manager of technology, risk and security, Gary Blair.

The emergence of banking on mobile phone platforms -- available today in places like Hong Kong but still about three years away for Australia -- is just one factor that will render SMS two-factor authentication obsolete, said Blair.

"In its current form, the integrity of SMS two-factor authentication will remain adequate over the next three years at least," Blair told ZDNet Australia.

"The introduction of mobile banking, where there's a convergence of banking on to the phone platform, will provide some additional challenges.

"We have a road map of authentication technologies -- both for our customer-base and in the treatment of staff access. This view takes into account the information we get from over-the-horizon scenario planning, so that's what threats are likely in three to five years time," said Blair.

The key challenge posed by the emergence of mobile phone banking is that the phone and SMS networks will no longer be considered "out of band", which today is considered a key advantage of using SMS networks to deliver the one-time passwords, since it prevents "man-in-the-middle attacks".

"Since it has been implemented [at NAB] as an out-of-band two-factor authentication system, it means that the authentication travels along an independent path -- an SMS mobile phone network, which defeats the classic man-in-the-middle attack," said Blair.

A man in the middle attack is when an attacker gets between two transacting parties and either monitors or changes the messages without either participant's knowledge.

In Australia the Commonwealth Bank caught up with the NAB when it implemented its system earlier this year. At the time, CBA's head of commerce feared it would simply drive criminals to using sophisticated malware rather than rudimentary phishing techniques.

ANZ, Westpac, St George, SunCorp and Bankwest meanwhile have opted to wait for newer technologies to emerge, while the Bank of Queensland, HSBC and Bendigo Bank offer token-based two-factor authentication systems.

According to Blair, users find the SMS authentication intuitive and he reckons the way NAB implemented it -- where the second factor of authentication occurs at the transaction stage as opposed to when a user logs in -- is the most secure method available to authenticate online transactions for the consumer market.

"By contrast, if you do have session-based authentication scheme, it's possible that a fraudster could have downloaded malware on to a user's PC and waited until a third party transaction is initiated before they insert a man-in-the-middle attack," said Blair.

Intuitiveness is another key benefit. Approximately 3,500 people sign up to the authentication system each week, said Blair, giving the bank a user-base of 375,000 customers on the system -- almost a third of its 1.3 million registered online banking customers.

"I have literally sat next to customers as they initiated their first transactions and I have not said anything and just let them do it themselves. They're all surprised at how easy it is," he added.

Any subsequent system will need to offer a similar or better level of intuitiveness if banks expect it to be used and Blair reckons there are several clear candidates.

Mobile Signature Services (MSS), which utilise similar technology to wireless or contact-less chip cards, employs Public Key Infrastructure (PKI) encryption for mobile phones. Others possibilities are the EMV standard card, which has been widely rolled out in Europe and parts of South-East Asia, said Blair.