Let’s start with a definition
Two-factor authentication is an enhanced identity verification method that requires two different types of identity verification for every login. It’s sometimes known as 2FA or two-step identification. It offers enhanced security over a simple password-based authentication.
It typically uses a knowledge factor, such as a password, and a possession factor, such as a phone which a unique SMS code is sent to. Biometric factors such as fingerprint and voiceprint recognition are being used more and more in multi-factor authentication too.
Here’s a simple way to think about the various authentication factors:
Knowledge: Something only you would know. For example, a password.
Possession: Something only you would have. For example, your phone, which an SMS code is sent to.
Biometric: Something only you are. For example, your fingerprints, face, eyes, or voice.
Here’s a real-life example
Google offers two-factor authentication as an option to login to Gmail. It’s a standard two-factor authentication setup. Users first enter their email address and password before being sent a unique code to their smartphone via SMS. They then need to enter the code into the login screen.
So even if you’ve had your password stolen, no one can login to your account unless they’ve stolen your smartphone too.
Importantly, a new SMS code is sent for every login. And it expires after a short period of time. That way there’s no risk in someone peering over your shoulder and stealing your SMS login for future use.
When to use two-factor authentication.
Companies should look to implement two-factor authentication whenever they need to minimise risk of fraudulent account access. That means if a user is accessing sensitive information, or undertaking a task that has significant financial consequences.
Common uses for two-factor authentication include a bank login, clocking on for a shift, or authorising a share trade.
Why not always use it?
Yes two-factor authentication is more secure that asking for just a login ID and password. But there are two main reasons why you wouldn’t use it all the time:
Having an extra step in the login process means more customer effort. However, it shouldn’t cause frustration. Unlike remembering a password, there is little chance of failure on the second step for a legitimate user. For example, they will nearly always have their mobile phone with them to receive an SMS.
Traditionally two-factor authentication has been costly for businesses to implement. It usually required an IT project running into the hundreds of thousands of dollars, or well into the millions for large bank. Then there are variable costs relating to each authentication. The cost to send an SMS for example.
That said, costs have dropped drastically with the advent of cloud communications. It’s now possible to run two-factor authentications with usage based charges of a few cents or less, without any set up costs at all. That makes it particularly easy to offset against the average cost of fraudulent logins and identity theft.
Whether or not to implement two-factor authentication will depend on the scenario. Ultimately, it’s a trade-off between the potential cost of a compromised account and usability and cost considerations.
Sometimes companies use a tiered approach. They’ll have single-factor authentication for simple, low-risk uses. And then two-factor authentication for greater-risk activities such as account recovery and resets.
Some companies, such as Google with Gmail sign-in, will let the customer choose.
Is it invincible?
Well, no. But it is significantly more secure than single-factor authentication and will drastically reduce fraudulent logins and identity theft. The degree to which it is better depends on the industry and application.
The most determined fraudsters seem to find ways around even the tightest security. For example, SMS codes can be hacked by fraudsters if they contact a mobile carrier pretending to be someone else and have the mobile number ported to a new SIM card (theirs!). Telco security process shouldn’t allow this, but it’s happened before.
But the prize for most entertaining multi-factor authentication hacking goes to a group of Brazilian doctors. Requiring fingerprint recognition to clock in and out of shifts, they created silicon replica fingers, including fingerprints! They could then clock-in to shifts they never worked and be handsomely overpaid. It just goes to show the extreme lengths some people go to!
In must be said these are the rare exceptions. After all, banks trust two-factor authentication to protect their customers wealth. Rest assured two-factor authentication offers far greater security compared to traditional single-factor verification.
Check it out for yourself
To see how quickly you could have two-factor authentication up and running – for zero set-up cost – contact us for a demo today.