We are huge advocates of Two Factor Authentication (2FA) or Two-Step Authentication, which makes up a whopping 90% of the Multi-Factor Authentication (MFA) market.
2FA is a tiny effort in ensuring security for apps when juxtaposed with 3, 4- and 5-factor authentication models that are growing in prominence.
BUT we also empathise with the desire for even less friction while staying secure – So what are the best methods to ensure they are equally simple and safe?
The quick description is that 2FA is a verification process where a user provides 2 different ways of identification — A combination of information they know, with what they have or something inherent to define who you are.
1FA — Knowledge (what you know)
Passwords, User Names, IDs, PINs
2FA — Possession (what you own)
Devices, Phone, OTP tokens, key fobs, employee ID cards and SIM cards
3FA — Inherence (what you are)
Touch ID, Scans for retina, iris, fingerprint, finger vein. Facial & voice recognition, hand & earlobe geometry.
4FA — Social Auth (who you know?)
At least two separate elements from each category is required for 2FA. We take a look at some of the various methods for 2FA below.
The 1st step of filling in a password/pin can be a problem in itself, when you can’t keep track of logins across apps.
There are cloud-based Apps like iCloud Keychain, 1Password and LastPass to store, generate and fill passwords to make the first step easier. There is the off chance these apps might suffer from a security breach, but the core of their business is to ensure users are well protected from attackers.
Facebook, Amazon and Twitter have used SMS for 2FA as a standard for years now. SMS is undoubtedly the most prominent and popular method of authentication, and for good reason – due to its ubiquity and availability on mobile phones both old & new.
A standard usual process involves a smartphone or email account (a secondary device) to send a one-time pin code to a user, which they then add into the system and log in. The process is as follows:
But being popular does not make SMS the only horse in the race, it’s just one of many methods for 2FA.
Standard Calling would require a user to pick up a call after the first login, and act on it with the instructions (numerical code during the call), but is there a similar step to it that does not require any other input beyond picking up a phone from a user?
Flash Verification from Sinch might just be it, with a service that does the verification for the user, without input. The phone number itself needs to be verified on various levels, but the process is “invisible” to the user.
Authenticator apps are a reasonable alternative to SMS as a second step of authentication. They provide time-limited codes or QR codes for secure access to a wide range of services.
Google Authenticator is the standout in this category, with almost 100 integrations for 3rd party services, including Amazon, Slack, GitHub and even Xbox.
Anyone who uses mobile or internet banking will be familiar with this. A physical device such as a hardware token, USB token or key fob – that users need as an extra step for authentication.
Some of these devices even store cryptographic keys from signatures to biometric data, with RFID and Bluetooth functions.
These provide a great alternative to SMS, but the effort of bringing around an extra device clearly belongs to the pre-digital age.
This option allows authentication through the detection of an individual’s presence at a distinct location.
Salesforce recently acquired Toopher, a mobile authentication app which allowed users to give permissions for location detection for verification, without physically handling a smartphone.
It might be easier than using SMS at times, but it also comes with privacy issues of allowing an app constant access to your location.
Biometrics are routinely mentioned as part of 3FA instead of 2FA, by keeping it as the 3rd step of an even stronger authentication process.
Fingerprint technology is the clear frontrunner in the biometrics race with its strong adoption in mobile devices.
Using email as a second step for verification is a vicious cycle. Firstly, emails should be protected with 2FA in the first place. So logging into an email for a link or code as a second step is counterproductive to security.
Take a look at the list of websites from Two Factor Auth that use email as the second step and the adoption of email as the second step is in the minority.
The method chosen for authentication defines the types of input from the user. Each of them has its advantages and differing levels of friction.
SMS (Easy) — Industry Standard. Requires mobile network access, mobile phone
Voice Calling (Easiest) — Requires smartphone, no input, depending on API provider
Authenticator Apps (Easy)— Requires data access, mobile phone
Hardware Token (Medium) — Requires device to be around at all times, sometimes in combination with a credit card.
Location Based (Easy)— Requires smartphone and permission to app for location tracking.
Email (Medium)— Low Security if there is no 2FA for email account in place.
Biometric Scan (Easy) — Requires device with biometric capabilities
2 steps is what we believe is a reasonable minimum to ensure security, and there are possibilities to essentially reduce friction with each alternative.
SMS remains an easy way for a second step, along with authenticator apps, location based apps and biometrics, but the clear winner in frictionless verification would be voice/flash calling without input.
Ease of use and Security don’t always go hand in hand, but with a trusted 3rd party provider to ensure encryption in SMS and especially verification through calling, the difficulties of each step can be greatly reduced.
The unprecedented attacks on Paris on November 13, 2015, saw a rise in activity on Facebook, motivating the leading social network to turn on Safety Check, a feature previously reserved for natural disasters. Introduced in October 2014, and borne out… read more
You might have read WebRTC in 2015 and why Apple will never join the party from our Developer Evangelist Chief, Christian, published on ProgrammableWeb a few weeks back. Christian and I decided to reach out to the WebRTC community, and… read more
Like most times during my writing process, first thing is opening a new Google docs sheet, where I create a draft for the next interesting topic to feed to the blog. Then, I choose among technologies as carefully as the… read more
What’s a virtual team? Virtual teams are separated by time, space and organizational boundaries. Interaction and collaboration is mainly enabled through electronic communication, and meeting up physically only happens on rare occasions. Virtual teams can involve business projects or divisions,… read more