We explain why two factor authentication (also known as 2FA) is an essential tool for modern apps and websites.
Our industry is full of acronyms. They can seem equally confusing in either their full or abbreviated states. By contrast, 2FA is a refreshingly simple concept; most people could guess what two factor authentication involves from its name alone.
Two is better than one.
What is 2FA?
Two factor authentication confirms someone’s identity by using two different methods of online ID. Think of it like the PIN number for your bank card. You need the card and PIN to withdraw money from an ATM. This reduces the risk of purse theft leaving you out of pocket. 2FA is the online equivalent of a debit card PIN.
This method of doubling down on ID was devised during the 1980s, in response to fears about identity theft. Since then, 2FA has been adopted by social media platforms and software services like Dropbox and LinkedIn. It’s most commonly associated with online banking (PayPal, HSBC) or ecommerce portals such as Amazon and Etsy.
Alongside a standard username or password, two factor authentication also requires one of the following:
1) A physical object like a bank card reader.
2) An additional data field – a PIN, or your place of birth.
3) A randomly-created code that can only be used once, or for a set time period.
4) Biometric information, such as the fingerprint scanner on modern smartphones.
As we became a nation of online shoppers and electronic bankers during the 1990s and 2000s, websites began asking us for more than one piece of ID. Since many people share passwords across multiple online accounts, it’s easy for criminals to impersonate us by capturing passwords through data theft or confidence tricks like phishing. Security experts Symantec reckon 80% of security breaches could be prevented with 2FA.
Tell you one time...
A popular method of 2FA involves sending a unique access code to a customer’s mobile phone by SMS message. Software randomly generates a unique code known as a One Time Password, or OTP. Entering this code into a website proves the person logging in is who they claim to be. The OTP expires once it’s been used, or after a certain amount of time. Since our phones are practically extensions of our bodies nowadays, 2FA by SMS is quick and convenient for all parties.
Another modern development in 2FA involves dedicated apps for smartphones, known as authenticators. Despite using sophisticated encryption, a single tap of the screen may be enough to confirm someone’s identity with a number of approved websites and service providers. Applications like Duo Push and Authy can be set up on a variety of devices, and they’re easy to install and use.
Getting down to business...
What if you’re a service provider or ecommerce platform, and you want to offer 2FA to your clients? There are plenty of software programs that do the hard work for you, often in the form of a plugin. These standalone pieces of code perform a single function, such as Google Authenticator for WordPress. This easily-installed plugin offers huge flexibility in terms of when to activate 2FA, and how customers can identify themselves.
Offering 2FA demonstrates a commitment to protecting personal data, potentially elevating you above less savvy competitors. A focus on protecting account security can encourage wavering customers to commit to a purchase, while deterring less welcome visitors to your site or back-office systems. If client data is stolen, or if your customers fall victims to fraud, the consequences can be disastrous from a PR and reputational perspective. Now is the time to implement 2FA and protect your customers and your business. Everyone has a duty to do what they can to protect online transactions.