Multifactor Authentication

Let's talk about application security for the applications which are hosted on the Internet, consider a Mobile banking Application such as UPI where you can make direct payments from your mobile to another person's bank account within 10 seconds which means if a hacker is able to compromise your UPI access he would be able to transfer money from your account to his account within 10 seconds and the money is gone and there is no way that you can stop it or retrieve it directly, ofcourse you can get in touch with the Bank and raise a complaint and Bank has their own processes where they can help you retrieve the money, but the point which I am trying to make is that in today’s superfast digital world with such systems where financial transactions can happen on the fly you need very watertight (strong) security controls where the possibility of fraud and hacking can be reduced to a minimum, one such security control is having Multifactor Authentication

Multifactor authentication is nothing but an authentication process where you have to input 2 different factors of authentication to get authenticated, for e.g. if you take the same example of UPI apps (Gpay, Phonepay, etc) where you initiate a payment then you have to enter 2 different credentials i.e. first login into the application on your mobile (you don’t realize this authentication nowadays as you normally do it with your biometric (fingerprint) authentication), second is the Pin number which you have to enter to initiate the transaction, so if a user is able to compromise your UPI account still he will not able to do any transactions unless he knows your PIN number

So Multifactor authentication is nothing but 2 authentication passwords from 2 different databases.

Do remember for Internet based application you should always have Multifactor enabled whether its transaction based or not.

Now let’s see how this works in action, let's take an example of the Internet Banking where you are trying to transfer money using IMPS or NEFT so you have one application "Internet Banking" on which the customer has logged in and has initiated a IMPS transaction, to complete the transaction the application has presented a screen in front of the user asking for an OTP, this is the front story, let’s see what happens behind the scenes

Your internet banking application would actually connect to an access-gateway using an API and send the Customer ID in the API request, the Access gateway would respond with a reference ID for this request to the Internet banking application.

The Access gateway would then connect to the core Banking system using another API and fetch the mobile number of that customer against the customer ID, once it recieves the mobile number it would send the OTP message to the mobile number using the SMS partner gateway

Once the customer enters the OTP in the front end of the application the application again makes an API call to the access-gateway passing the reference ID along with it,

The access gateway matches the reference ID with the OTP generated if they match then it would send an OK response to the application or else a not-Ok response

If the response is Ok, then the application would allow the transaction to go ahead successfully.

So, this is how the OTP works in a financial institution, I would urge you to please look at the diagrams to understand the concept in an easy way.

Note: The examples which I am taking may apply to Banking Institutions, and the Services mentioned are common to almost all banks but do remember that every institution would have their own mechanism for implementing 2-factor authentication which may differ from institution to institution

Please be mindful of the fact that every financial transaction must have a second factor mandatorily configured.