It used to be that you could make a strong password based on a random sequence of letters, numbers and symbols and not worry about someone guessing it. Now? Forget about it. Mobile ransomware was up 33% in 2018 despite 98.4% of business phones and 97.9% of consumer phones being password protected. Passwords just aren’t enough anymore—especially when your company is tasked with the responsibility and liability of keeping data safe.
Two-Factor Authentication—Going Past the Passwords
When considering implementing two-factor authentication for your customers, consider what’s at risk here: Access to one-touch purchase and credit card-linked accounts, personal emails, private documents, photos, text messages—“special pictures…” These are all thing that deserve a second layer of security. Providing it will help boost consumer confidence and trust in your business, giving your app a huge advantage over your less-secure competitors.
How Two-Factor Authentication Works
Two-factor authentication is a fairly simple process:
- A signifier (often a password) is presented to your app by a user that identifies that user’s account
- Your app’s authentication software then automatically generates a request for an additional identification factor (often a code sent via SMS text message) from the account’s owner
- The account owner is only authorized to access their account if both the signifier (password) and second identification factor (text code) match
One of the most common forms of 2Fa for consumers is in-band authentication, meaning the same device or app is used for both identity and identification. For example, inputting your password on an app, and then receiving an SMS text message code on your smartphone to input into the app.
This is generally called “soft token” authentication in that the code is generated and stored within the software and is only good for a one-time use, making it fairly a strong form of verification.
Two-Factor vs Two-Step Authentication
Just be careful what security steps you take. Not all methods of authentication are created equal. You want your customers to be truly safe, and for that, you need two-factor authentication—not two-step verification.
A factor can be one of three things:
- Something you know—like a password, pin or pattern
- Something you have—like a smartphone, dongle, RFID or token
- Something you are—like a biometric scan of your face, retina or fingerprint
Two-factor authentication requires at least TWO of these factors be met. For example, if you input your password, receive an SMS text message on your cell phone and then input that as well, you’ve met the “something you know” and “something you have” factors.
On the other hand, if you input your password and then answer a security question, those are both the same factor (something you know), and therefore only “two-step” verification—not two-factors. Using two of the same factor isn’t as secure as using two different factors.
Yeah, But Do I Really Need Two-Factor Authentication?
Of course not. You can just risk it. But Slack, Amazon, Dropbox, Google, Facebook, Apple, Microsoft, Evernote, Venmo, Paypal and just about every major player in the app and mobile industry offers—or demands—two-factor authentication. So if you know more than Google and Apple, sure—you don’t really need it!
But before you run out into the world unprotected, consider this last fact: there is no reason for not implementing two-factor authentication:
- It’s the easiest and cheapest way to automatically increase security and consumer data protection
- Integration with API is seamless and easy
- Previous problems with Twilio in Argentina (customers never receiving the text message or experiencing big delays) have been solved by the launch of Wavy, whose API connects to the apps we build in a matter of minutes
The choice is yours—you can put your customers at risk while basically telling them you don’t really care about keeping their data secure, or you can increase their trust in your company while reducing your own risk and liability. Easy choice, right?
We thought so. Let’s talk about getting your company started with two-factor authentication today.