If you’ve ever had your information hacked, you feel vulnerable to future threats. People who don’t understand cyber threats lose trust in even the most commonly visited websites. Building user trust is an important part of generating business and signups on your site. While two-step verification (also called two-factor authentication or 2FA) isn’t a new type of security, it hasn’t been adopted by many site owners. Two-step authentication can greatly reduce the risk of your customer accounts being hacked. If you store sensitive data on your site, it’s time to consider 2FA for your users’ security.
What is Two-Step Verification?
In the security field, there are three factors for identifying a person: something they know (password), something they have (smartphone or authentication device), and something they are (for instance, a fingerprint). Typically, webmasters ask for the first item — something the user knows, which is a password. With all the successful hacks in the media, the IT industry decided to introduce a way to verify two pieces of information. This is where the term “two-step verification” came from.
2FA involves a password and a device that has a number unique to the user. Old-school methods used a device that synched with a server. The device displayed a number every 60 seconds, and this number synched with the authentication server. Users were asked to input their password and the pin generated by the authentication device. The problem was that the server and device would go out of synch, and users would have to call in to a help desk and re-synch their device.
Older methods were effective, but they caused overhead for support and hassles for users. These third-party devices were also expensive since corporations were forced to provide each employee with one. The IT industry came up with new 2FA methods, which companies such as Google have adopted.
Since most users have a smartphone, the IT industry introduced a more affordable way to work with 2FA. The idea is that most people have a mobile device and data plan that allows them to receive text messages. You might run into a few users who don’t have cellular service, but the great majority of your users have a data plan that allows them to receive a pin in SMS text messages.
A good example of the proper way to implement 2FA is Google. Google offers 2FA for user accounts to make it more difficult for hackers to gain access to Gmail accounts and services. With 2FA turned on, each device used to access a Google account receives a pin in SMS messages. Once a user logs in to a computer, they no longer need to send the second verification code for several weeks, so each device becomes authorized for a short while. This reduces the hassle of using a pin with every log in attempt, which can be several times a day for busy accounts.
Once the user receives a pin, they can then enter it into the login form. You’ll need to store the number sent with the user’s account name. Each time device authorization is needed, you send a different pin to the user’s smartphone. The pin is stored with the user account, and you perform a lookup during the final authorization step.
To implement two-step verification on your own site, you’ll need an SMS service where you send a unique pin to the user. This pin should only be sent to an authorized number. In other words, the official phone number for the account can receive a pin during the login process but no alternative numbers can be used until a successful login occurs. If a user forgets his password, he must go through security steps to reset it. Sending a password to an unauthorized device leaves your 2FA open to hackers.
You might wonder what you get for implementing 2FA. It seems like an easy addition to your site, but adding 2FA to a current website will take some time especially with bug fixes.
If you remember, Heartbleed gave hackers the ability to gain unauthorized access to user accounts. This bug was based on a security breach that affected millions of web servers. If users had two-step verification, Heartbleed wouldn’t affect your site. Hackers could gain access to a user’s password, but they wouldn’t have the pin. Effectively, 2FA blocks common hack attempts. The only way for a hacker to bypass 2FA is to have access to the user’s smartphone.
With 2FA, you offer a higher level of security for your users. When serious security breaches affect a large proportion of the Internet, you’ll know that your users are secure. If you store sensitive information, consider 2FA as a part of your website’s authorization process.