Every so often, it’s on the news. Some hackers breached a popular service and stole millions of user data. Including email, names, passwords, credit card information and so on. Just in the past decade, many well known online services were breached. Adobe, eBay, Linkedin, Yahoo, Marriott International just to name a few.
Many businesses that offer their services online have since added a Two-Factor Authentication (2FA) to increase security and reduce the chances of data being stolen. In this article, we will dive into what exactly is 2FA, how does it work, and if you should implement it on your website.
What is 2FA?
Traditionally speaking, your data online is protected by the username and password combination. Your password is made up of a string of characters and that is pretty much your only line of defence. 2FA adds one extra layer of security.
There are many different types of 2FA but the majority of the 2FA will request a second piece of information from the user before it lets the user gain access to the account. The information could be something they know such as a second password or a pin number. It could be something they have such as fingerprint, voice, or face recognition. It could also be something they own, such as a device or a token.
Chances are you probably used 2FA before. For example, when logging on to some online service, on top of your username and password, the system sends a numeric code to your phone and you will have to enter the code on the browser to gain access to your account.
Why is 2FA important?
There are two main benefits of using 2FA. The obvious one is that it provides another layer of security, so when your password is compromised, whether it is guessed, hacked, or phished, which happens A LOT, your data is still protected. On the other hand, 2FA acts as an alarm because when you receive the request of a code, your fingerprint, or your token, you ask yourself, did I initiate this login process, or is someone trying to break into my account? This keeps the user engaged in the security of their information.
Types of 2FA
This is one of the most common 2FA types because other than a phone, no other hardware or phone app is required. The system usually sends the SmartCode through SMS to the user, which the user then types it in the system to log in. However, this is also the least secure 2FA type because it relies on a phone line which can be compromised.
Similar to the SmartCode, this type of 2FA system requires the user to type in the one-time passcode. However, instead of delivering it through SMS, the user will have to get the code from a smartphone app. This is more secure than the phone line and is much harder for hackers to intercept.
Code generating tokens
This might be one of the oldest forms of 2FA. Tokens are usually small keychain like devices that are battery-powered and can generate a string of code when prompt. The user then types the code to log in. The benefit of this type of 2FA is that the codes are hard to intercept and therefore more secure. The downside is that small devices like these can be misplaced easily. If not used very often, the user might not have it with them at all times and when they need to use it unexpectedly, it becomes a hassle to get a hold of the token.
Another issue is that these tokens often run on batteries and in a lot of cases, the batteries are not replaceable. When the token runs out of battery, the user has to replace the entire device. The hassle of timing the replacement perfectly so you don’t have a gap of not being able to log in is troublesome to many. This also adds additional cost for the service provider to provide these tokens.
Due to the downside and the popularity of smartphones, companies such as HSBC Canada has been transitioning from Tokens to Authenticator Apps in recent years.
Also known as Universal Second Factor (U2F), typically use small USB devices to authenticate. This means you don’t have to type in any special codes. Simply connect your device when prompt to allow the login. The benefit of using these security keys is the convenience of not having to type anything extra. These devices are usually pretty durable and either has a very long battery life or does not require a battery at all. The downside is similar to code generating tokens, they are very easy to lose and they come with additional hardware cost for the service providers.
Instead of a token that generates a code, biometrics 2FA requires the user to provide a piece of information that only the user themselves can provide such as fingerprints, retina scans or face recognition. This type of 2FA is relatively in its early stages, but at this point in time, it is very secure because hackers have yet to figure out a way to exploit it. This method of authentication takes advantage of modern technology on our phones, such as fingerprint readers or face recognition cameras. As more and more devices are equipped with these features, this type of 2FA is on a growing trend.
Do you need 2FA?
If you provide some type of service online that stores any user information such as birthday, phone, email, credit card information, the answer is yes. Identity theft has become a low-risk, high-reward type of crime that is fast-growing. We all know that having a secure password is important but unfortunately, the vast majority of consumers either don’t implement a secure password or use the same password across many different services.
On a consumer level, having some type of 2FA can protect their information from being stolen. If your business was targeted by hackers and they were able to steal all your customers’ information, that would hurt the business. On a corporate level, having some type of 2FA for your employees or team members when they access the system is a cost-effective way to reduce the risk of having security breaches in your company, both internally and externally.
Two-factor authentication is not something new. More and more businesses are utilizing 2FA to increase security and reduce the risk of data breaches. From tokens, smart codes, authenticator apps and biometrics, 2FA are being used in our everyday lives. With the ever-more-sophisticated cybercrime happening every day, identity theft and data breaches are bound to get worse. Old Moon Digital thrives to keep ourselves and our clients as safe as possible, if you have any questions about two-factor authentication, or if you are not sure which type of two-factor authentication fits your needs, please contact us and we will be more than happy to help you achieve your goal.