We expanded our authentication suite to offer two solutions that combat advanced threats such as Man-in-the-Middle (MITM) through transaction verification.
As two-factor-authentication becomes ubiquitous across consumer web properties and the enterprise, MITM and MITB attacks are becoming more commonplace and transaction verification is the best method to prevent these types of attacks. TeleSign offers transaction verification through two-way SMS verification or through a push notification delivered to a mobile app. Here’s the user experience:
Verify 2-Way SMS
Option 1: Two-Way SMS
In Verify 2–Way SMS, we send an SMS to a user that includes transaction details and a 4-7 digit security code. This is usually triggered for specific transaction types (e.g. wire transfers) that exceed some limit and for key account change (e.g., password resets). To confirm the transaction, the customer must accept the transaction and include the security code in their response. This ensures that the real user is the one replying back to the SMS and not an attacker spoofing the phone number. If the customer does not respond to the text message within a narrow time window (e.g., 15 minutes), the transaction is canceled.
Sample Two-Way SMS for Transaction Verification:
Option 2: Push Notifications
Transaction verification can also be deployed via a push notification which is delivered through our mobile app, AuthID. When a customer initiates a high-value transaction, a one-time verification code is displayed on the application’s website. A push notification is automatically sent to the user’s mobile app that includes transaction details. The customer then taps the “Allow” (or “accept”) button within the app and types the verification code displayed on the webpage into the app to approve the transaction.
By authenticating a specific transaction through a separate channel, a user can be secure even if their session has been hijacked by a man-in-the-middle attack. Both two-way SMS and push notifications offer a simple 2FA solution with added resiliency to combat MITM and MITB attacks.