Hackers continue to think of new ways to get around security blocks on websites. Their goal is to bypass your user authentication process and gain access to sensitive data. Two-factor authentication (also known as 2FA or two-step verification) is one way to stop them in their tracks. This article explains two-factor authentication, the security process, and highlights what you need in order to implement it on your site.
If you’ve ever had your information hacked, you feel vulnerable to future threats. People who don’t understand cyber threats lose trust in even the most commonly visited websites. Building user trust is an important part of generating business and signups on your site. While two-factor authentication isn’t a new type of security, it hasn’t been adopted by many site owners – even though lots of sites today allow users to login. Two-factor authentication can greatly reduce the risk of your customer accounts being hacked. If you store sensitive data on your site, it’s time to consider 2FA for your users’ security.
What is Two-Factor Authentication?
In the security field, there are three factors for identifying a person:
- Something they know (password)
- Something they have (smartphone or some other authentication device)
- And something they are (for instance, a fingerprint)
Typically, webmasters ask for the first item – something the user knows, which is a password. With all the successful hacks in the media, the IT industry decided to introduce a way to verify two pieces of information. This is where the term “two-step verification” or “two-factor authentication” came from.
2FA involves a password and a device that receives a number unique to the user. Old-school methods used a device that synced with a server. The device displayed a number every 60 seconds, and this number synced with the authentication server. Users were asked to input their password and the pin generated by the authentication device. The problem was that the server and device would go out of sync, and users would have to call a help desk to re-sync their device.
Older methods were effective, but they caused overhead for support and hassles for users. These third-party devices were also expensive since corporations were forced to provide each employee with one. The IT industry came up with new 2FA methods, which companies such as Google and Twitter have adopted.
Implementing 2FA
Most users have a smartphone. So the IT industry built 2FA to take advantage of the fact. Mobile phone two-factor authentication is based on users’ cellular service that allows them to receive text messages. You might run into a few users who don’t have cellular service, but the great majority of your users have a plan that allows them to receive a pin in an SMS text message.
To implement two-step verification on your own site, you’ll need an SMS service where you send a unique pin to the user. This pin should only be sent to an authorized number. In other words, the official phone number for the account can receive a pin during the login process but no alternative numbers can be used until a successful login occurs. If a user forgets his password, he must go through security steps to reset it. Sending a password to an unauthorized device leaves your 2FA open to hackers.
Customer Security
You might wonder what you get for implementing 2FA. It seems like an easy addition to your site, but adding 2FA to a current website will take some time especially with bug fixes.
If you remember, Heartbleed gave hackers the ability to gain unauthorized access to user accounts. This bug was based on a security breach that affected millions of web servers. If users had two-step verification, Heartbleed wouldn’t affect their data. Hackers could gain access to a user’s password, but they wouldn’t have the pin. Effectively, 2FA blocks common hack attempts. The only way for a hacker to bypass 2FA is to have access to the user’s smartphone.
With 2FA, you offer a higher level of security for your users. When serious security breaches affect a large proportion of the Internet, you’ll know that your users are secure. If you store sensitive information, consider 2FA as a part of your website’s authorization process.
Ehi last time I commented here, it told me that I am a spammer. This is good information. We as programmers need to really take this into consideration. I only want to say that the 2FA work flow needs to be flawless to protect what it is intended to.
Hi Brian,
Sorry about the message calling you a spammer. I know you’re not 😉
That was a temporary glitch in the code of my comments section. I have now fixed it. Thanks for coming back.
I agree that 2FA involves quite a lot to make it achieve its goals. This is just a high level overview of the technology. Maybe someday, I’ll write a more in-depth article and possibly share some code.
I think every programmer should know your blog and I am really going to spread the word. Sometimes,I just don’t have time to go into the details of all the tech stuff that are currently been used, but as a programmer I need to know. And I find that your blog, alongside your frequent posts on twitter helps me to just achieve this. Thanks a lot and I just subscribed; keep ’em coming.
Thanks for the kind words Andrews. And thanks for subscribing. There’s certainly a lot more to come 🙂
Watch out for daily updates even.
Take a look at developer.saaspass.com
Supports more 2fa methods including scan barcode, push login, mobile web, iOS SDK and Android SDK. There is a RESTful API and SAASPASS Connect (OIDC) as well.
Please, since Google authenticator doesn’t back up ones details on Google cloud, what other 2fA authenticator App can I use. I mean, one that is not phone based. Like, one that even if I lost the phone housing the app, I can still get codes when I get another phone and same app.
I have information locked up in an exchange just because I lost access to the email I used to sign up, including the phone number that I used to create the email. All this happened because I lost access to my Google authenticator when I lost my phone.
Hi Euphemia,
Google Authenticator works with many different vendors and services including Twitter, Amazon, etc. The method you need to use to regain access to your account will depend on the specific service you’re using Google Authenticator for. With some services, when you first setup Two-Factor Authentication, you receive a backup code in case you lost your phone. If this is the case, just use that backup code to setup Google Authenticator on your new phone.
If you lost your phone, don’t have a backup 2FA code, and don’t have access to the email used to setup the account, I’m afraid you may need to contact the support guys for the specific service for which you need access. It may take a while since they will need to somehow verify that you’re actually you. But usually, they should be able to help.
Regards!
Thanks Ehi.
I will go for Sim welcome back. That I think will help me