TY - JOUR
T1 - A survey on multi-factor authentication for online banking in the wild
AU - Sinigaglia, Federico
AU - Carbone, Roberto
AU - Costa, Gabriele
AU - Zannone, Nicola
PY - 2020/8
Y1 - 2020/8
N2 - In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.
AB - In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.
KW - Field study
KW - Legal compliance
KW - Mobile banking
KW - Multi-factor authentication
KW - Online banking
KW - Remote payments
KW - Threat models
UR - http://www.scopus.com/inward/record.url?scp=85084948488&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2020.101745
DO - 10.1016/j.cose.2020.101745
M3 - Article
AN - SCOPUS:85084948488
VL - 95
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
M1 - 101745
ER -