Picture this: You open your laptop to begin checking online sales for your business. You log in with your email address, only to receive an uncharacteristic error message: “Your Password is Invalid.” You type in the password again. “Your Password is Invalid.” You try again. “Your account has been temporarily locked. Please contact support.”
You quickly grab the phone and begin to dial. As you wait on hold, you decide to check your business’ website and are stunned to see a “Web Page Not Found” error. A technical support specialist answers your call and begins to explain that the website and linked email account have been hacked.
Fortunately, the hosting company explains that the hacker didn’t cause any irreparable damage. It sounds like a lucky break, but this scenario could have been avoided using two-factor authentication. Two-factor authentication helps protect both business data and their customers’ personal account information, and more and more businesses are using it to avoid damaging hacks.
What is two-factor authentication and what can it do for a business?
When you have to enter only a username and password, that's considered a single-factor authentication. Two-factor adds an extra level of authentication to an account log-in, requiring the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a personal identification number (PIN), password or a pattern
- Something you have, such as an email address, key fob, or phone number
- Something you are, such as a fingerprint or voice print
While early two-factor solutions largely relied on hardware tokens or fobs that produced one-time passwords, today’s use of SMS messages makes mass implementation much easier.
Using SMS messaging helps create a trusted identity giving customers yet another layer of security. Since most companies have an established phone number as part of their brand identities, there is some likelihood that a customer would raise a red flag should they receive an authentication code from an unrecognisable phone number. Many companies are now using their longstanding toll free numbers to further capitalise on that brand equity and potential security benefits.
How does two-factor authentication via SMS work?
Step 1. On account creation or while logged in, a customer enters their telephone number, so that the business’ site can send them a code via a text message.
Step 2. A text message is sent from the toll free business line to the customer’s mobile telephone number.
Step 3. The customer enters the unique code on the site’s prompted location. Once the code is validated, the website saves the phone number associated with the account.
Step 4. Next time the customer attempts to log in, they will be prompted to enter a PIN code sent by the same toll free business line to their phone number verified in Step 3. In the case of a hacked account, the hacker won’t be able to provide the PIN code, thus keeping the account safe.
What’s new about two-factor authentication?
Though two-factor authentication has been around for years, thanks to the surge of mobile phones, it’s becoming more and more widespread. Banking, password managers, retail sites, and even photo apps have all started it within their mobile apps. The addition of fingerprint scanners allow mobile app developers to lock down access to the app. Now, if someone is able to breach your phone, your app contents are protected.
It’s also important to note that this only helps to protect users on their mobile devices. 75 per cent of all millennials rely on mobile apps for the majority of their banking . But for the rest of us, it’s important to have other methods of proving who we are besides just a password.
Some services now offer authenticator mobile applications. These systems require the user to download their ‘authenticator’ app from the mobile app store and sign in to their account. The next time the user tries to log in to their service, they’ll be prompted for the code in the app. These apps usually run some sort of Time-based One-time Password Algorithm (TOTP) which computes the code based on the time of day and an initial secret key (kind of like the old key FOB authenticator but without any physical hardware). Using a TOTP ensures that the code will work even if the device is offline.
Anything from toll-free sms codes, fingerprint readers, or special mobile apps can increase users’ security. There are many different ways to ensure peace of mind using some sort of two-factor authentication not mentioned here.
Those can be perfectly valid and should be part of your initial research. The best two-factor authentication system is the one that users actually use.
Justin Moreira, product manager, Bandwidth
Image source: Shutterstock/Lim Yong Hian