Protecting crypto accounts with strong authentication
In today’s digital world, cybersecurity is essential, especially when it comes to protecting digital financial accounts, or digital wallets that hold crypto assets. Ensuring that only the authorized account owner(s) can access account information is as important as securing the network over which the data is transmitted. This is because, unlike bank accounts, there is no regulatory protection, such as the FDIC, in place for users who lose their crypto assets, or get their crypto assets stolen, due to their account or digital wallet getting hacked.
For example, in cases where users utilize the crypto exchange’s digital wallet, most users might think that setting up a username and a password is enough, with an additional layer of security with a one time SMS password. However this is a highly vulnerable approach, susceptible to SIM swap attacks.
Passwords are proven to be highly insecure, prone to phishing, and other such cyberattacks and do not meet the security requirements imposed by most regulatory bodies. Due to these inherent issues, companies globally have started looking at solutions such as FIDO/FIDO2 (short for Fast IDentity Online), the de-facto authentication standard, to meet regulatory requirements and safeguard their websites’ or applications users.
Has crypto fraud really been that high?
Crypto account takeovers have been on the rise; in an industry where transactions are confirmed, and funds are transferred, within seconds with no way to reverse them. According to the Federal Trade commission, almost 7,000 people lost over $80 million from October 2020 to March 2021, a whopping 1,000% increase compared to the previous year. The year 2020 saw cybercriminals stealing around $300 million from crypto digital wallets/accounts through various fraudulent activities such as fake crypto exchanges, SIM swap attacks, and phishing schemes. Fraudsters can take over an account fairly easily - they will try harvesting and stuffing credentials and then, if presented with an SMS OTP request (which is quite common), the fraudster will use a SIM relay service or another such technology to forward the SMS to their number instead, or in some cases they have managed to physically swap the SIM. The end result of the attack is successfully bypassing the security measures put in place by the exchange, gaining illegal access to a user’s account and/or digital wallet, and stealing their assets.
This, coupled with the fact that some crypto exchanges are operating as unregulated entities, spells trouble for crypto investors whose wallets are held by the exchange. Even more recently, in the days leading up to Elon Musk’s appearance on Saturday Night Live, over $10 million in cryptocurrencies was stolen by cybercriminals.
How does strong authentication help?
The fact that users cannot easily file claims or reclaim stolen crypto funds means protecting crypto accounts is more important than ever. Even if a user does not fall victim to cybercrime, the potential of them getting locked out of their account and potentially losing access to their digital wallet’s funds is extremely high.
However, the problem doesn’t stop here - if exchanges present users with complicated sign up and sign in processes for the sake of security, users might switch to other exchanges, with a more favorable user experience.
One potential solution to effectively protecting cryptocurrency accounts lies in strong authentication.
This additional layer of security ensures a user’s account is protected, even if one factor is compromised. Some common forms of strong authentication are security questions, time-based one-time passwords (TOTPs), physical authentication keys, and biometrics.
FIDO/FIDO2, the latest set of specifications by the FIDO Alliance, is a standards-based authentication protocol, and has become the de-facto authentication standard being adopted by major crypto exchanges such as Coinbase and Binance. It ensures that a user’s cryptographic credentials are stored locally within the hardware on their device, not in the cloud, thereby eliminating even advanced cyberattacks, given a hacker would need both possession of your device and your biometric.
FIDO Based Authentication vs Proprietary Biometrics Authentication
User Authentication has two authentication mechanisms; one which connects the device to an external server (Remote), and one which uses the device by itself (Local). Proprietary biometrics (iPhone touchID for example) inherently are local on-chip authentications as opposed to being remote where cryptographic signature data (no biometrics specific data) is transmitted to the backend server for verification and therefore providing proof of claimed identity.
There is no out of the box remote authentication capability with proprietary biometrics.
Given the local nature of proprietary biometrics authentication, there are numerous weaknesses worth mentioning:
No phishing resistance
No ability to do transaction confirmation
Hard to manage revocation of the long-living refresh token
FIDO based authentication takes security to the next level:
All following authentications are done via FIDO and are protected by an asymmetric digital signature, which makes it impossible for an attacker to forge
Stolen cookies pose little threat, as any high operations are protected by transaction confirmation
No refresh token or static secrets, which reduces attack surfaces significantly
Is strong authentication common in the crypto industry?
The short answer is - no. Crypto industry acceptance of FIDO/FIDO2 protocols as best practices would help protect crypto investors’ assets, as well as allow the exchange to be compliant with existing or emerging regulatory requirements such as PSD2, GDPR etc..
Currently, however, exchanges are using strong authentication as a differentiator, with the early adopters forging ahead in their customers’ minds.
Is FIDO strong authentication easy to implement?
The aim for cryptocurrency exchanges should be to strike a balance between privacy, anonymity, security and user experience. They need to ensure users feel safe using their platform, while making it easy for users to buy, sell and trade crypto. Adding friction to either of these will not only frustrate users, but will negatively affect the exchange’s reputation.
One option is for exchanges to build the authentication solution themselves, however this could take several months and could still have vulnerabilities depending on how the solution was built. Furthermore, integrating a standard such as FIDO/FIDO2 multi-factor authentication, in-house, is complex, and requires a plethora of resources and extensive knowledge of the FIDO/FIDO2 standard, as well as deep in-house knowledge of platforms and programming languages.
The alternative - time-effective and cost-effective - solution is to integrate a third-party provider such as LoginID. LoginID is a FIDO/FIDO2-certified solution that enables crypto exchanges to offer their users strong authentication in a few lines of code through various integration paths.
Highly secure and easy to install, LoginID’s FIDO/FIDO2 multi-factor authentication solution enables crypto exchanges of all sizes in any jurisdiction to enable strong authentication on their websites and apps, compliant with regulations such as the PSD2 and GDPR (among others), while offering users a user friendly registration, login, and transaction confirmation process.
With LoginID, crypto exchanges get:
A FIDO2 / FIDO UAF certified biometric authentication solution
Detailed and thorough documentation created by developers for developers
A scalable business model that grows with the crypto exchange
A scalable business model to support startups called ‘Open SaaS’, making it free to start
Transaction Confirmation with Digital Signature - a tool for crypto exchanges and digital wallets that provides a receipt as proof of users’ biometric authentication around transactions`
Crypto exchanges can get started by registering for a free account, or by checking out the demo here. If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.