A simple question inspires multifactor authentication (MFA) innovation

By Firas Bouz and Debasisha Padhi

Innovation doesn’t always spring from a big idea. Quite often, asking “what if” or “why” inspires fresh thinking that leads to new or improved solutions.

For proof, you need only look to a recently patented process for multifactor authentication (MFA), which started with a simple question.

In mid-2018, Debasisha left his debit card at a restaurant. Before he realized it was missing and could freeze his account, someone used the card for several fraudulent purchases.

Being tech professionals and naturally curious, we began wondering why better protections weren’t in place to stop such crimes. It wasn’t long before we got together with two other colleagues and seriously asked ourselves if we could add a layer of security to prevent someone from using a stolen bank card—even if they had the PIN.

Our collective “yes” led to research, drafting and, eventually, a novel approach to digital identification known as multi-factor authentication utilizing device pairing (MFAUDP). In May 2022, nearly three years after we first posed the question, MFAUDP was awarded a patent.

Someday soon, this new technology may be used to protect organizations and individuals alike from cyber theft and fraud, proving once again that inspiration for innovation can come from the smallest or unlikeliest of sources.

Making a case for MFA

To be fair, MFA isn’t new.

Technology that requires end-users to provide two or more forms of verification to prove their identify before gaining access to an online account, allowed into a private network, or approved for a digital transaction was introduced in the early 2000s. In the two decades since, MFA has emerged as one of the most effective tools¹ in the fight against cybercrime.

Unfortunately, no one has developed a foolproof authentication method. Card-related fraud like Debasisha experienced—which falls into the broader category of identity theft—is the most common type of fraud worldwide, costing consumers average annual losses ranging from $111 in Japan to more than $3,900 in Germany.²

The stakes are even higher for companies. Stolen or compromised credentials accounted for 19% of security breaches among businesses in 2021.³ Still, less than 30 percent of organizations currently use MFA, a staggering figure given that the average cost of a single business data breach now exceeds $4 million.  

Not surprisingly, the COVID pandemic only exacerbated these and other problems. Cybercrime has ballooned 600%⁴ since March 2020, and costs associated with cyber incidents are on pace to reach $10.5 trillion5 by 2025.

We envision MFAUDP as a tool to combat the threat.

Improving proven technology

MFAUDP blends multiple capabilities developed in the past to deliver an enhanced layer of digital protection for the future.

Utilizing near-field communications (NFC) and existing authentication technology, MFAUDP allows you to pre-program two or more digital devices to request validation from each other before either can be used. So, when you attempt to log into or access one digital device, it will prompt you for authentication like a fingerprint or passcode.

Once the primary device validates that security layer, it will seek a wireless connection with a secondary device that has its own security credential. If you provide the correct form of validation, it will pair the two devices and allow you to finish the action you were trying to execute.

On the other hand, if you don’t have both devices with you or if they’re located too far apart from one another—even if you know verification credentials for each of them—the system won’t be able to pair. A failed wireless connection between the devices will deny access to either device, preventing you from completing your initial task.

Imagining potential uses

We’ve only begun to conceive potential use cases for MFAUDP. However, the financial services industry presents obvious opportunities.

Fraudulent payment card losses currently eclipse $28 billion each year and are expected to total $408 billion⁶ over the next decade. Equipping credit and debit cards with MFAUDP would almost certainly reduce those numbers.

For example, if someone tried to make an unauthorized purchase using a credit card that was linked to a smartphone outfitted with MFAUDP, the card would attempt to establish a wireless connection with the phone. Since the unauthorized user doesn’t have the cardholder’s phone, the devices wouldn’t pair, so the transaction request would be denied.

Even in the unlikely event that the fraudulent user wound up with the cardholder’s phone and their credit card, they’d need a PIN for the card and a passcode for the phone in order to pair. The absence of either would block the transaction. 

At the enterprise level, MFAUDP could bolster network security. Unlike traditional MFA technology, MFAUDP doesn’t use SMS messaging and one-time codes as the second form of authentication. This, in turn, would reduce or eliminate the effectiveness of credential stealing, password hacking and phishing scams, all of which increased dramatically during the pandemic as employees were forced to work remotely.

Looking further ahead, MFAUDP may one day be employed on a larger scale by hoteliers to program room cards and by auto manufacturers to make key fobs more secure. Additional applications in industries like healthcare, government and education are also possible.

Truth be told, the full scope of possible applications has yet to be imagined. That’s fitting on multiple levels because, at its core, MFAUDP illustrates the impact that being inquisitive and seeking a better way of doing things can have on individuals and organizations alike.

All it takes is someone willing to ask the right question.

Firas Bouz is Vice President of Solutions for Kyndryl. Debasisha Padhi is a Principal Architect in Kyndryl’s Core Enterprise and zCloud practice.

¹ “Tech CEOs: Multi-Factor Authentication Can Prevent 90% of Attacks,” Infosecurity Magazine, Sept. 2021
² 2022 IBM Global Financial Fraud Impact Report, IBM, Feb. 2022
³ Cost of a data breach 2022, IBM
^{4 “}A Certainty In An Uncertain World: Cybercrime Is Spiking,” Cybercrime Magazine, Feb. 2021
⁵ “Cybercrime To Cost The World $10.5 Trillion Annually By 2025,” Cybercrime Magazine, Nov. 2020
⁶ Nilson Report, Issue 1209