Twice the Protection: Why Two-Factor Authentication is a Security Must-Have
In our continuing bid to bring you information on security best practices, we present this blog, produced in partnership with 8×8.
Any forward-thinking business leader knows that ensuring customer privacy is now a priority—especially as the value and volume of data continue to increase. The irony, however, is that cybersecurity breaches are still severely damaging reputations and bottom lines globally. It’s been said that small businesses alone can lose more than $2.2 million a year to cyberattacks, and 60% of small businesses close within six months of a cyber breach. That’s why many businesses are reviewing their login and verification processes and turning to two-factor authentication (2FA) to improve security. If you’re not familiar with 2FA, you’re in the right place.
What is two-factor authentication and how does it work?
Like its name says, 2FA involves acquiring two sets of passwords that users will have to enter correctly before they can access their account. The first password refers to the user’s personal password, which they will have to remember. However, due to the obvious risks with these passwords, including phishing attacks and malware, this password alone is insufficient.
That’s where the second password comes in. The second factor in two-factor authentication requires users to prove their identity in another way: usually with dynamically generated one-time passwords (OTPs), which are physical security keys like access cards or USB key fobs, or biometrics like face or thumbprint IDs. The nature of the second factor makes its acquisition more difficult for attackers and thereby adding an extra layer of security and alleviating substantial risk.
Choosing the right two-factor authentication channels for your app
While it’s commonly accepted that 2FA is one of the best ways for businesses to protect customer data, there are various options and each 2FA channel has its own pros and cons. When choosing the right authentication channels for your business, you will need to consider which ones will provide a frictionless experience for your users without incurring excessive costs. To help you with that, here’s a rundown of the pros and cons of five of the most commonly used digital 2FA solutions on the market.
Two-factor authentication via SMS
SMS is the most common channel for 2FA as it doesn’t require users to download additional apps or carry separate devices, making it relatively low-cost with high deliverability. After a successful login with their username and password, or after an online payment/transaction, users will receive a 5- to 10-digit code via SMS which they can then enter to either access their account or authorize their transaction. SMS two-factor authentication has been proven to be exceptionally effective. According to Google, their implementation of SMS 2FA resulted in 100 percent protection against automated bots, 96 percent against bulk phishing attacks, and 76 percent against targeted attacks.
Two-factor authentication via email
Email 2FA shares similar advantages with 2FA via SMS; it does not require any additional apps or devices, which makes onboarding relatively easy and authentication almost seamless. In addition to OTPs, email 2FA can also take the form of magic links like those used by Slack and Medium, where users can click on a link rather than manually enter a code to access their accounts.
However, email as a 2FA channel can be extremely risky because most account passwords are usually reset via email. This means that attackers only need to compromise one channel—the email address—to gain access to both of the customer’s 2FA passwords.
Two-factor authentication via app
Also known as Time-Based One-Time Password (TOTP), app-based 2FA is like the software version of physical security tokens. This means that your users will need to download an authenticator app onto their desktops or mobile phones. After they’ve cleared the username and password stage, a QR code will be generated that users can scan to request a unique password or token for login.
Unlike SMS and email, app-based 2FA is not dependent on network access. Instead, unique codes are generated offline by the app at regular intervals (typically 30 seconds) and synced to your platform based on the current time.
However, such authenticator apps require that you invest additional resources for development and ongoing maintenance, and the extra step of downloading an app onto their devices may be a deterrent for some users. The other concern is that if your phone or desktop is stolen or compromised, the attacker will also have access to your TOTP.
Two-factor authentication via push
Similar to Apple’s Trusted Devices method for logins, or DBS’s app authentication for online purchases, push-based 2FA notifies a user that there has been an attempt to access their account, allowing them to either approve or deny the request.
A key advantage that this channel has over many others is that there is an option to deny access, which companies can monitor as evidence of unauthorized access. Allowing your users to press, rather than manually typing in, an OTP is more convenient for some users, and it makes your platform more resistant to phishing attempts.
However, push-based 2FA does require a working data connection, while authenticator apps do not, and SMS only requires access to a telephone network. Implementation of push is also slightly more complex and requires additional development work compared to SMS or email channels.
Two-factor authentication via voice
Voice 2FA is when an OTP is delivered via a phone call using a text-to-speech service. It’s often preferred by users who don’t have access to a smartphone or data connection, or by users who have certain difficulties reading text-based OTPs.
While SMS deliverability and price may vary across the globe, voice is prioritized on carrier networks, making it more reliable. Voice 2FA also offers language localization for international users, and it is relatively straightforward to implement. However, phone calls can be intercepted or forwarded, making them somewhat vulnerable to attackers.
Streamline your two-factor authentication process with OTP APIs
Putting stronger data privacy and cybersecurity measures in place is a much-needed investment. In fact, the success of 2FA solutions has been widely felt across many industries and some companies have even deployed multiple 2FA channels, so that there is a backup should one be compromised. Beyond compliance and customer experiences, 2FA could also be the deciding factor between users choosing your app over competitors.
Consolidated Technologies, Inc., is singularly focused on helping our customers succeed — and we take your security seriously. If we can be of service to you in implementing enhanced security measures, including two-factor authentication, please complete the form below.