Mobile initiated financial transactions need to be authenticated. This is a mandatory requirement since it serves as a security step or mechanism against non-repudiation. This is true for Mobile Banking customers in Kenya. The stage of protection for a given authentication scheme relies upon on characteristic combination, authentication channel, credential storage, and encryption. A range of researches had been performed on mobile banking authentication and their stage of protection. Research has proven challenges related to single factor or two factor authentication schemes. However, there are inadequate studies on authentication schemes that mixes different factors of authentications for secure and efficient mobile banking transactions. The goal of the research was to explore challenges of using PIN as the only factor of authentication and further evaluate the effectiveness of incorporating a combined USSD push and PIN efficient multifactor authentication. Convenience non-probability method was used to identify a subset of the population and Snowball Sampling used to target a total of 385 respondents. A total number of 442 responses were received through online administered questionnaires. The study found 84.4% of the respondents use mobile banking frequently. That is to say, many times during the daily lives. Further finding was, the de-facto login method used in mobile banking applications in Kenya, is via PIN and 69% of respondents have incurred losses due to compromised PINs. These descriptive statistics necessitated a need for secure mobile banking app. Hence a need for multi factor authentication. The solution implemented offers remedy to challenges faced by mobile banking customers in Kenya. This solution was not entirely user’s PIN dependent but also tied to other details such as International Mobile Equipment Identity (IMEI), Mobile Systems International Subscriber Identity Number (MSISDN), and International Mobile Subscriber Identity (IMSI) in addition to time bound USSD push augmented with biometric authentication, Fingerprint. These attributes were encrypted using BCrypt Hashing Function in mobile banking applications. The storage of credentials was in distributed locations in encrypted format. The architecture employed provided improved security from cyber-attacks such as: identity theft, phishing, social engineering, spoofing and man in the middle attack. In conclusion, use of USSD push in mobile banking provide an efficient layer of authentication hence improved mobile banking security. Keywords: Mobile Banking, Security, USSD, GSM, Authentication, Encryption, Cloud Computing, Cyber-Attacks.

show more