Two-Factor Authentication Scheme for Mobile Money: A Review of Threat Models and Countermeasures
Abstract
The proliferation of digital financial innovations like mobile money has led to the rise
in mobile subscriptions and transactions. It has also increased the security challenges associated
with the current two-factor authentication (2FA) scheme for mobile money due to the high demand.
This review paper aims to determine the threat models in the 2FA scheme for mobile money. It also
intends to identify the countermeasures to overcome the threat models. A comprehensive literature
search was conducted from the Google Scholar and other leading scientific databases such as IEEE
Xplore, MDPI, Emerald Insight, Hindawi, ACM, Elsevier, Springer, and Specific and International
Journals, where 97 papers were reviewed that focused on the topic. Descriptive research papers and
studies related to the theme were selected. Three reviewers extracted information independently on
authentication, mobile money system architecture, mobile money access, the authentication scheme
for mobile money, various attacks on the mobile money system (MMS), threat models in the 2FA
scheme for mobile money, and countermeasures. Through literature analysis, it was found that
the threat models in the 2FA scheme for mobile money were categorised into five, namely, attacks
against privacy, attacks against authentication, attacks against confidentiality, attacks against integrity,
and attacks against availability. The countermeasures include use of cryptographic functions (e.g.,
asymmetric encryption function, symmetric encryption function, and hash function) and personal
identification (e.g., number-based and biometric-based countermeasures). This review study reveals
that the current 2FA scheme for mobile money has security gaps that need to be addressed since it only
uses a personal identification number (PIN) and a subscriber identity module (SIM) to authenticate
users, which are susceptible to attacks. This work, therefore, will help mobile money service providers
(MMSPs), decision-makers, and governments that wish to improve their current 2FA scheme for
mobile money.