How Universal Two-Factor Authentication Could Change Password Security
As much of our day-to-day lives migrate into the digital realm, the need to secure our personal data, both online and on mobile devices, has become blindingly obvious. High-profile data breaches in 2014 have shown there is growing public demand for Internet giants, retailers and other online service providers to offer an increased level of protection for their users’ accounts. A simple way of achieving this is by introducing two-factor authentication, which in light of recent hacking attempts has grown in popularity.
Enhanced account security couldn’t come at a better time. Recent research shows that 60 percent of people use the same username and password combination for all their online accounts, from social networking to online banking. Therefore, if hackers can get their hands on a set of login details for one website, it is likely those same details will work in a number of other places. However, given the wealth of Internet-based services we now rely upon, and the sheer number of accounts we hold (according to Experian, 26 different online accounts per person on average), it’s hardly a surprise that the same password is being used time and time again.
Fortunately, less importance is being placed on our account passwords now that two-factor authentication (2FA) has become increasingly popular. 2FA bolsters security by adding another layer to the username and password mix. One of the most common forms of 2FA involves delivering a one-time PIN to a user’s mobile device, which must then be entered before they can access their account. Not only does this prove the user has the correct login credentials, it also demonstrates they have a device associated with their account in their possession. The two elements combined dramatically improve account security and make it much harder for hackers to gain access.
There is no doubt that 2FA is a consumer-friendly answer to online security challenges, but incorrectly implementing 2FA or providing consumers with an overly complicated authentication process will not have the desired effect. Users want added security, but not at the expense of convenience. Any security method, no matter how reliable, will not be adopted en masse if it negatively impacts on the user experience. This is why it’s so important to choose the right approach to 2FA.
Until recently, the use of a hardware dongle to deliver a one-time PIN was standard. This approach does work but has a number of drawbacks, not least that it presents the user with another gadget to carry around at all times which, if lost or broken, would prevent them from gaining access to their accounts.
Equally, if the 2FA process becomes too complicated, users are likely to abandon the service. Convenience is a commodity that the average consumer is unwilling to compromise over, and hardware-based dongles could easily fall into this category. The hardware-based approach isn’t suitable for multinational companies like Facebook, Google or Apple either. Their global scale and vast user base demands a universal solution that can be quickly deployed. For companies of this size, it’s essential to implement 2FA in a way that is commonplace around the world, such as SMS-based 2FA.
SMS ticks all the right boxes when it comes to added account security. Implementing 2FA in this way can turn any mobile phone, anywhere in the world, into an extra layer of account security. It also a widely used technology, and consumers are already comfortable using it. Not only that, but SMS is reliable as a communications channel and is cost-effective for large enterprises.
SMS-based two-factor authentication has already been implemented by the likes of Google, Facebook and Apple. It’s also used by a number of mobile apps (like WhatsApp) to confirm the user’s identity at installation. However, SMS-based 2FA is not limited to household names. There are a number of companies now supplying SMS-based platforms that allow all businesses to introduce 2FA. This means that, regardless of the scale of a company, it is feasible to implement the level of security needed to ensure the trust of the consumer.
After choosing the right 2FA approach, it's important to consider how it's going to be delivered. One requirement is reliable global coverage, which is indispensable in an age where the Internet has erased borders. Many SMS providers have close partnerships with mobile carriers, but few can offer truly international connectivity that is becoming the necessity for global brands. Additionally SMS-based 2FA is not a one-size-fits-all. Companies must make sure the service they choose meets the needs of the business – there are a range of options available from one-time password or PIN generation to turnkey solutions complete with OTP functions. A business must select the right form of 2FA, from the right provider to avoid the pitfall of reduced user experience.
Ultimately, for improved account security (SMS-based 2FA or otherwise) to be effective security measures above and beyond the username and password need to be adopted by all companies and not just a select few. If a user’s details stray from the hands of Facebook and are used to hack the user’s Amazon account, it is little consolation to know one offered 2FA if the other didn’t. In a world where online security is more and more frequently being called into question, universal deployment of 2FA could be the answer, and SMS an ideal way to deliver it.