Hackers continue to think of new ways to get around security blocks on websites. Their goal is to bypass your user authentication process and gain access to sensitive data. Two-factor authentication (also known as 2FA or two-step verification) is one way to stop them in their tracks. This article explains two-factor authentication, the security process, and highlights what you need in order to implement it on your site.
If you’ve ever had your information hacked, you feel vulnerable to future threats. People who don’t understand cyber threats lose trust in even the most commonly visited websites. Building user trust is an important part of generating business and signups on your site. While two-factor authentication isn’t a new type of security, it hasn’t been adopted by many site owners – even though lots of sites today allow users to login. Two-factor authentication can greatly reduce the risk of your customer accounts being hacked. If you store sensitive data on your site, it’s time to consider 2FA for your users’ security.
What is Two-Factor Authentication?
In the security field, there are three factors for identifying a person:
- Something they know (password)
- Something they have (smartphone or some other authentication device)
- And something they are (for instance, a fingerprint)
Typically, webmasters ask for the first item – something the user knows, which is a password. With all the successful hacks in the media, the IT industry decided to introduce a way to verify two pieces of information. This is where the term “two-step verification” or “two-factor authentication” came from.
2FA involves a password and a device that receives a number unique to the user. Old-school methods used a device that synced with a server. The device displayed a number every 60 seconds, and this number synced with the authentication server. Users were asked to input their password and the pin generated by the authentication device. The problem was that the server and device would go out of sync, and users would have to call a help desk to re-sync their device.
Older methods were effective, but they caused overhead for support and hassles for users. These third-party devices were also expensive since corporations were forced to provide each employee with one. The IT industry came up with new 2FA methods, which companies such as Google and Twitter have adopted.
Most users have a smartphone. So the IT industry built 2FA to take advantage of the fact. Mobile phone two-factor authentication is based on users’ cellular service that allows them to receive text messages. You might run into a few users who don’t have cellular service, but the great majority of your users have a plan that allows them to receive a pin in an SMS text message.
To implement two-step verification on your own site, you’ll need an SMS service where you send a unique pin to the user. This pin should only be sent to an authorized number. In other words, the official phone number for the account can receive a pin during the login process but no alternative numbers can be used until a successful login occurs. If a user forgets his password, he must go through security steps to reset it. Sending a password to an unauthorized device leaves your 2FA open to hackers.
You might wonder what you get for implementing 2FA. It seems like an easy addition to your site, but adding 2FA to a current website will take some time especially with bug fixes.
If you remember, Heartbleed gave hackers the ability to gain unauthorized access to user accounts. This bug was based on a security breach that affected millions of web servers. If users had two-step verification, Heartbleed wouldn’t affect their data. Hackers could gain access to a user’s password, but they wouldn’t have the pin. Effectively, 2FA blocks common hack attempts. The only way for a hacker to bypass 2FA is to have access to the user’s smartphone.
With 2FA, you offer a higher level of security for your users. When serious security breaches affect a large proportion of the Internet, you’ll know that your users are secure. If you store sensitive information, consider 2FA as a part of your website’s authorization process.