A survey on multi-factor authentication for online banking in the wild

Federico Sinigaglia; Roberto Carbone; Gabriele Costa; Nicola Zannone

doi:10.1016/j.cose.2020.101745

A survey on multi-factor authentication for online banking in the wild

Federico Sinigaglia (Corresponding author), Roberto Carbone (Corresponding author), Gabriele Costa (Corresponding author), Nicola Zannone (Corresponding author)

Security W&I

Research output: Contribution to journal › Article › Academic › peer-review

Abstract

In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.

Original language	English
Article number	101745
Number of pages	30
Journal	Computers and Security
Volume	95
DOIs	https://doi.org/10.1016/j.cose.2020.101745
Publication status	Published - Aug 2020

Keywords

Field study
Legal compliance
Mobile banking
Multi-factor authentication
Online banking
Remote payments
Threat models

Access to Document

10.1016/j.cose.2020.101745

Link to publication in Scopus

Fingerprint Dive into the research topics of 'A survey on multi-factor authentication for online banking in the wild'. Together they form a unique fingerprint.

Cite this

Sinigaglia, F., Carbone, R., Costa, G., & Zannone, N. (2020). A survey on multi-factor authentication for online banking in the wild. Computers and Security, 95, [101745]. https://doi.org/10.1016/j.cose.2020.101745

@article{546e3755663940faa31385f3269f9025,

title = "A survey on multi-factor authentication for online banking in the wild",

abstract = "In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.",

keywords = "Field study, Legal compliance, Mobile banking, Multi-factor authentication, Online banking, Remote payments, Threat models",

author = "Federico Sinigaglia and Roberto Carbone and Gabriele Costa and Nicola Zannone",

year = "2020",

month = aug,

doi = "10.1016/j.cose.2020.101745",

language = "English",

volume = "95",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier",

}

A survey on multi-factor authentication for online banking in the wild. / Sinigaglia, Federico (Corresponding author); Carbone, Roberto (Corresponding author); Costa, Gabriele (Corresponding author); Zannone, Nicola (Corresponding author).

In: Computers and Security, Vol. 95, 101745, 08.2020.

Research output: Contribution to journal › Article › Academic › peer-review

TY - JOUR

T1 - A survey on multi-factor authentication for online banking in the wild

AU - Sinigaglia, Federico

AU - Carbone, Roberto

AU - Costa, Gabriele

AU - Zannone, Nicola

PY - 2020/8

Y1 - 2020/8

N2 - In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.

AB - In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.

KW - Field study

KW - Legal compliance

KW - Mobile banking

KW - Multi-factor authentication

KW - Online banking

KW - Remote payments

KW - Threat models

UR - http://www.scopus.com/inward/record.url?scp=85084948488&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2020.101745

DO - 10.1016/j.cose.2020.101745

M3 - Article

AN - SCOPUS:85084948488

VL - 95

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 101745

ER -