An increasing number of applications, services, and websites rely on two-factor authentication to increase security. Data breaches, hacks, malware, and theft have become very common, and even strong passwords are not capable of completely securing user accounts.
A second authentication factor is also not guaranteed to be foolproof, but it can be helpful for making enterprises and individual users more secure and protected. This brief crash course explains what this two-stage authentication process is, the methods it involves, the effect it has on trust in enterprises and user safety, and how businesses and developers can implement this measure.
An old form of two-factor identification with which most people are familiar involves using an ATM. In order to withdraw cash or access your bank account for any purpose, a bank customer must insert a card (the first factor) and then enter a PIN number (the second factor). It can be difficult to maintain even this level of security when all of the elements involved are digital and data-based.
Two-factor authentication processes that take place online are likely to include a password and some additional source of user identification. It is essential that the second form of authentication be completely distinct from the first. To return to the physical example above, this is why banks recommend that customers never write PIN numbers on their ATM cards. If the first and second factors are related or the first leads to the second, the additional factor will not help to make an account more secure.
In general, two factors are better than one. The more difficult it is to falsify or intercept the second type of identification, the more secure the service. This method should also not be so complicated that it is likely to put off even those users who want to be proactive about keeping their data secure. Multi-factor authentication involving more than two methods may be even more secure, but it is a challenge to convince ordinary users of the need for even one additional method in order to gain access to information they need as soon as possible.
First, security experts and developers must determine a reliable additional method for verifying a user’s identity. This method must not be easy to falsify or intercept, and yet it should not be overly difficult for the authorized party to provide. For this reason, the most popular methods include verification codes and one-time passwords and biometrics. Technological advances are making it easier to read faces, fingerprints, or other identifying features that may make it harder for unauthorized users to compromise an account.
Some services send users an email, text message, or even a physical key that they can provide as proof of their identity and right to access an account or sensitive information. Applications, services, and sites may give users the option to opt in or out of this measure, but it is a good idea to strongly recommend the use of an additional authentication factor to decrease risk on the part of the provider and the user.
Major online services started rolling out additional authentication measures around the year 2012, and sign-in methods with second verification measures have become more common in the last few years. Most users still do not know about these features or consider the use of additional authentication measures to be tedious. A study published in the spring of 2018 reported that less than 10% of Google users opt to use a second authentication factor.
Even in cases where additional authentication factors are implemented, these measures are not foolproof. The simplest secondary methods, such as emails or text messages, are also the easiest to hack. If a user’s sign-ins on other services have already been compromised, it may not be difficult for a hacker to intercept or mimic the information necessary to gain access to more of a user’s accounts. Even biometrics can be manipulated.
Most security experts suggest that social engineering presents the biggest obstacle to two-factor authentication. If someone has enough information about a user to contact a support line and verify their falsified identity, they may manipulate a customer service agent or automated service to recognize them as the intended user. If a hacker or unauthorized user manages to reset not only the password but the second authentication factor for a service, they may effectively lock out the rightful user.
One upside of implementing two or more authentication factors is that these measures can at least introduce delays or other obstacles. This may allow time for a service to try to follow up with the authorized user about unusual activity or unsuccessful access attempts that may thwart a hack in progress.
The easiest way for a developer or company to add factors to sign-in methods is to subscribe to or partner with an online authentication provider. Several companies specialize in establishing and processing authentications. The most restricted services may want to consider a dedicated application, key, or hardware tokens that are not transferable between systems. Experts recommend that businesses and developers with high-security services steer clear of SMS verification, as this method is frequently exploited.
Individual users should check account settings on major applications, networks, and sites to see if the option for a second authentication factor is available. Some sites also maintain lists of sites and services that provide this option. If a service does not offer two authentication factors, a user may want to request some method for providing additional authentication.
Two-factor authentication is not impervious to hacks, but this method can increase user security and trust. For this reason, the number of applications, services, and websites that rely on these measures continues to increase. Developers and ordinary users should take advantage of the ability to add another layer of identity verification to as many services as possible. Doing so may limit the ability of unauthorized users to gain access to one account or service and use this information to compromise other logins.