4 advantages of physical over mobile authentication

It is no secret, you can see it for yourself. The use of two-factor authentication (2FA) and multi-factor authentication (MFA) is on the rise. Whether you want to access your Google account, bank app or even Facebook, you have to at some point authenticate your login. This is supported by a recent survey, “The State of Auth”, which has revealed that 79% of people in the UK and USA used 2FA in 2021.

With cybersecurity a daily subject of discussion nowadays and no longer a tick-box exercise for businesses and governments, this figure is no surprise. Further to that, new regulations such as the EU’s Strong Customer Authentication (SCA) under the EU Revised Directive on Payment Services (PSD2), make it necessary for organisations to implement such solutions for both employees and customers.

As demand for 2FA and MFA increases among businesses, there is pressure to deliver easy-to-use solutions in a short time scale. This could explain why out of the aforementioned 79%, software-based methods of authentication (SMS, email and mobile apps) are the most popular form of second-factor authentication whereas physical keys are the least popular.

But is the most popular way the safest way to authenticate? Is it the most cost-effective method for businesses? The short answer is no. In fact, the advantages of using a physical form of authentication far outweigh the use of software as your primary method.

Software can be hacked or fooled

Even the most sophisticated software can be circumvented or broken by bad actors. This extends to mobile authenticators which use cryptographic keys to generate codes used for user identification. Recent reports have revealed that hackers can easily exploit these keys, even if developers secure them in a smartphone’s “Trusted Execution Environment” (e.g. StrongBox Keystore for Android and Secure Enclave for iOS). If these keys go into the wrong hands, then a bad operator can get the authority to authenticate transactions or connections on a user’s behalf.

Mobile app authenticators also tend to usually have only a basic level of security certification from national and international security agencies, whereas physical secure keys tend to have higher levels. While smartphones are becoming an “everything in one” tool, whether the SIM becomes an eSIM or the mobile phone a Point of Sale device (POS), these changes come at the cost of compromises to security.

By having a physical secure key, such as NEOWAVE’s Winkeo, you introduce a physical element to your authentication process, eliminating the reliance on weak software to protect your sensitive information. The user must present and tap the physical key during the authentication process. There is no software to beat, the unique crypto key within the physical device must be present, otherwise, access will be denied.

FIDO can put an end to phishing

The FIDO Alliance is an industry association that develops and promotes authentication standards to “help reduce the world’s over-reliance on passwords”. Its members include world-leading companies such as Google, Microsoft, VISA and Apple. FIDO-approved devices adhere to the body’s protocol, which consists of a user-controlled cryptographic authenticator that businesses can use to link to directories and apps that they use, for instance, AzureAD and Microsoft 365. Authentication can only take place in person by the user tapping the key and entering a PIN code. This removes the risk of relying on software on mobile phones and apps that can be bypassed.

Malicious websites can also be identified by FIDO-approved keys. If, for example, an employee with a FIDO key visits a malicious website, the fake site will not request for the key to be used during authentication. Any login information passed on to bad actors will not enable them to access their accounts via the real website. This is because they will not have the physical key required to authenticate.

The crème de la crème of FIDO’s physical keys is that by using this technology, businesses can eliminate phishing in their organisation. By having a physical (non-mobile) element added to your security process, FIDO helps prevent brute force attacks as well as man-in-the-middle attacks which OTP passwords, SMS codes are susceptible to.

In fact, Google claims to have put an end to all phishing breaches within its organisation. The company implemented U2F authentication across its organisation and requires all employees to use physical secure keys.

Sim-swap fraud is on the rise

SIM-swap fraud cases have increased 400% in the past 6 years. It means that hackers are cloning mobile phone numbers and assigning them to new SIM cards, through which they can access online bank accounts, messages, calls and other sensitive data. One of the most notable victims of this type of fraud was Twitter CEO Jack Dorsey. Should we not question the value of mobile app authenticators if this threat is on the rise?

Highest level of security at a fraction of the cost

Shockingly – but unsurprisingly – almost 70% of SMEs have not implemented MFA. It makes sense though when you look at costs. If you are a small business and need to spend hundreds of pounds on a smartphone per employee in order to have access to an authenticator app, this can be discouraging for business owners, especially during uncertain economic times. While some may revert to using personal smartphones, that is not the safest method as it comes with added risk when the phone is not owned by the employer.

FIDO keys on the other hand are much more affordable, at around £25 per person, and come with heightened security as described in the points above. It is a win-win for both smaller businesses which need to prioritise security but are also traversing uncertain economic times, and larger organisations that need to implement MFA across the business with hundreds, if not thousands, of employees.

Cybersecurity has never been more important. The heightened threat from Russia since the invasion of Ukraine and the higher number of employees working remotely has put cybersecurity as a top priority. Attacks are now fully-fledged businesses and organisations need to ensure there are no cracks in their protective shields.

Kent Jason

Jason Kent is founder and director of Open Seas, a UK-based enterprise IT solutions company specialising in data protection and backup services to optimise organisations’ work environments. With 30 years’ experience in the IT industry, Jason has developed a strong and in-depth understanding of how to design and implement technical solutions that deliver tangible business benefits.

With 30 years’ experience in the IT industry, Jason has developed a strong and in-depth understanding of how to design and implement technical solutions that deliver tangible business benefits. Jason specialises in simplifying the complex and collaborating with both technical and non-technical teams to implement solutions that enhance security and human collaboration.

Jason is also Business Development Director at Jooxter, a proptech scale-up that helps companies manage flex desks and meeting rooms through wireless monitoring.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...