Back to Blog

Two-Factor Authentication: Building Blocks For Better Security

With every major data breach, more and more personal information, especially passwords, become available to cybercriminals. Consumer security fatigue mixed with the massive proliferation of online services, such as banking, healthcare, social media, gaming, news, insurance — and the need has never been greater for improved account security. Better protection but without huge friction. Users want to be secure, but they also want easy access to their applications.

There is evidence to support this. In the last 24 months, three billion records were lost online. In 2016, the number of US data breaches tracked an all-time record high of 1,093 and in 2017, the number of breaches rose to 1,579. Many of these end up in the weekly news cycle, which is raising awareness with consumers that they need to better protect themselves online. Two-factor authentication (2FA), an additional layer of security that makes it harder for attackers to gain access to a person’s devices and online accounts, has seen a significant increase in activity in the last year.

While robust measures to prevent customers’ data being compromised is important, businesses must also understand that people want to log into their accounts without hassle.

Getting it right

Adding better account security with 2FA is a vital component to ensuring that your business’ and customers’ information is kept safe. Two of the biggest challenges that businesses face with regards to two-factor authentication are ensuring that their customers are educated on the importance of having it activated, which I will come onto later, and making sure that they are offering the most secure and user-friendly method possible. This brings me first to the discussion of push notifications versus SMS and voice call.

Companies who have implemented any 2FA, traditionally ask people to verify their identity by entering a one-time passcode which is sent to them by SMS or voice call, immediately after the person has entered their username and password. This is often considered cumbersome, as the customer has to leave the application to look at their phone or listen to an automated call. They then have to remember the code and type it into the application.

Aside from SMS and voice passcodes being inconvenient, there have been recent examples where security is also a concern. There are proven ways in which a hacker can intercept a voice call or SMS, and if they already have your username and password, the 2FA step can be defeated. These methods, while not very common, have been used to empty bank accounts and take over high profile social media accounts.

Adding to the poor user experience, users who get a code via SMS but are not logging in, are often left wondering what to do next in order to protect their account. By the time they’ve Googled a support number or found the correct email address for the website being attacked, and made contact with support, their account has likely already been taken over.

The user can get the same code without the security risks of SMS and voice calls by installing a third-party software app on their phone or desktop. This can generate the same 2FA passcode and makes it more secure than SMS/voice, but the whole process still presents users with a less than desirable login experience.

Push authentication

There are better options, however, and this brings me on to push authentications — which is by far and away the most user-friendly and secure form of two-factor authentication. In fact, companies like Yahoo and Google are using push authentications to replace the use of passwords at login time entirely. The process starts with a push notification to a smartphone or desktop application which then launches with a message similar to “someone in Beijing, China on a Windows 10 device is trying to login right now, is it you?” and presents the user with two options. To accept or deny the activity. If the customer says “deny”, the application can stop the hacker immediately without the user needing to contact the bank, or company in question.

Push authentications also enable businesses to provide more information to customers to help them make an informed decision. For example, it might say “you are logging into your bank account on an IP address which is in San Francisco, using a Chrome browser on a MacBook Air”, with a map of where the request is coming from. It can also include company branding to reassure the user that they are getting the request from the right source. All of that information helps the user to look at it and say “yeah that’s me logging in on my machine” or “that’s not me logging in from Russia on a Windows laptop.”

SMS & Voice still needed

But while push authentication is the future, I’d like to make the point that we mustn’t disregard SMS and voice calls as viable 2FA options. Firstly, just using 2FA via SMS is a massive improvement in security over username and password alone. The examples of people being able to fool the carriers into sending the SMS and voice calls to another device are still complex and rare. Also, not everyone owns a smartphone through which to download apps and receive push notifications. Finally, SMS is often a great option to fall back on when a push authentication isn’t going to work.

I myself use push authentication at every possible opportunity. However, I travel to countries where I don’t always have an internet connection on my phone to get the request, so instead, being able to fall back to SMS when I need to — is essential for maintaining access to my online applications. Companies must be aware that it is critical that they cater to all consumers and their environment to ensure that everyone has access to better account security. That said, I do believe that push notifications are the most user-friendly and secure form of 2FA currently available and that businesses really need to be including it as part of their offering, so that those who do have a smartphone have the ability to use it.

Access for all

Technology vendors have a responsibility to make the most advanced 2FA technology available to even the smallest of businesses. Twilio, for example, offers advanced two-factor authentication technology to companies which don’t have the budget or manpower to build something from scratch in-house. Not only are these companies able to be more secure and offer seamless customer experience when it comes to 2FA, they also can focus on running their business — while relying on Twilio’s expertise and deep experience in delivering this service to power their backend.

To put this into perspective, I spoke to the founder of data storage company Datto, who said that after they had built their business and secured their unicorn valuation, they calculated that, based on their USD $1 billion valuation, the time the founders spent developing software was valued at nearly USD $24,000 per hour. He also told me that, at the beginning, they built their own content management system which in the end didn’t work and they had to abandon it. That investment was very costly in time and effort, with no valuable return. Based on this, he said if he had to do it again, he wouldn’t build a security product, he would purchase a well-built product at a competitive price which the vendor will maintain.

Online finance is the big target

Offering a robust and secure service is key to all service providers, but none more so than financial technology companies (fintechs). Online account security is about defending yourself against someone who is trying to do you harm by either hacking your online social profile or taking your money. And money is the big one. Money is the primary driver of why people go after an account. Therefore financial services are a big target.

There are a number companies that are really leading the way in this sector and one that stands out is Transferwise. Transferwise uses the Twilio Authenticator SDK which enables it to roll out borderless authentication; something which is particularly important to its user base which often travel across multiple countries and have multiple SIM cards. This means that an authentication message which is bound to a specific geographic phone number isn’t ideal, so they offer 2FA push authentications as an alternative.

A role to play

While there are companies leading the way and consumers becoming increasingly aware of two-factor authentication, there is still a long way to go. We all have a role to play with regards to educating people about the importance of online safety and keeping their personal information protected.

I say it’s a bit like teaching people how to cross the road. We have an obligation to teach our children to stop, look and listen before crossing a road. We have the same obligation to teach our peers, family, and the next generation about how to protect themselves online.

Two-factor authentication is a good starting point. Companies need to educate their customers about the importance of having it activated, and consumers need to be aware of the important role it plays. We live in a world where consumers share more personal information than ever before, and we have an obligation as a society to ensure that this information is kept safe and secure.

This article was originally published in The Australian

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

We can text you a link to get started:

Close