Two-Factor Authentication Best Practices
A second layer of data protection is always a good idea, especially when you want to keep your customers safe from intruders. Authentication mechanisms that require only a username and a password are no longer intrusion-proof, as can be seen by the experience at some internet giants who shall remain nameless. Your users will be safer if you implement a two-factor authentication system using an SMS gateway, and send customers one-time passwords (OTP) to enter your system.
Typically, one-time passwords are four- to eight-digit numerical codes that are valid for a short period of time, and only for one interaction, session, or transaction. They make authentication safer, because they are sent directly to the customer’s mobile phone. Authentication via OTP gained popularity across industries because it’s a cheap, easy to implement, and ubiquitous way to communicate with customers. The user does not have to install a third-party application to receive the one-time passwords, so it is also a very user-friendly option.
To set up OTPs, you will need an SMS gateway that supports this authentication method. It is configured to generate and send one-time passwords for the user via text. Some OTPs are generated based on time-synchronization, while others use mathematical algorithms.
Text-messages can be delivered in two ways: (1) you can attach a GSM modem to your server with a data cable, or (2) you can send messages through an SMS service provider. If you decide to go for the latter option, text-messages will first be sent to the short message service center (SMSC) of the service provider, and from there, based on connections with other SMSCs, the text-messages get sent to your recipients. For security reasons, setting up a VPN channel between the SMS Gateway and the SMSC of the service provider is always a good precaution. The first option is usually more secure because it is integrated in your infrastructure and does not require an internet connection. The second SMS delivery option is a good choice if you need to send a high volume of text-messages.
SMS-based OTPs are an Option if You Operate in One of these Industries
Everyone understands text messages. Thus implementing two-factor authentication using SMS will not introduce a steep learning curve for your customers. SMS-based OTPs can be implemented regardless of your industry. Here is an extensive list of industries already using this type of authentication successfully!
- Education and Training
- Food industry
- Travel and Tourism
- Healthcare and Hospitality
- Web Design
- IT and ITeS
- Oil and Gas
- Real Estate
- Media and Advertising
Two-Factor Authentication Use Cases
Ask for a user’s phone number during the first registration attempt. Display a message where it is clearly explained that their phone numbers will be used only for verification procedures. Afterwards, send a one-time password that will allow the user to access their new account.
- Password Reset
Fraudsters get into user accounts by phishing email addresses, so verifying new passwords by via text OTPs add an extra layer of security.
- New Device
If the user logs in from a different device, a new IP address, or even a new country, you can add extra verification steps like SMS OTP or by answering qualifying secret questions.
- Unusual Behavior
Usual behavior such as making a lot of purchases in a short amount of time, or in different timezones can serve as red flags. Prevent fraudulent activities by verifying whether the actions were performed by the user.
- Changing Account Information or Settings
Set up additional verification steps when the user requests certain changes that could put their information at risk, such as changing the account name, or phone number. You could encourage users to opt in to extra verification steps by rewarding them for choosing to add the second security layer (some companies offer discounts if their users protect themselves in this way).
When Is It Better to Use Multi-Factor Authentication Technology?
With the rise of fraud attacks such as Emmental that affected banks in Switzerland, Sweden, Austria, and Japan, banks are looking for alternatives to OTPs through SMS. During Emmental operation, millions were stolen from both consumer and commercial bank accounts.
Cybercrooks mislead people into installing fake applications on their devices. There were cases where such apps waited for text-messages from banks that contained session tokens, and silently hijacked communication, forwarding the info to attackers’ servers. Cybercriminals are keen on finding ways to undermine SMS OTPs, but this is still an infinitely safer alternative to the ID and password-only option.
SMS two-factor authentication verifies a user’s identity in a fast, easy, and non-disruptive way. It is relevant for a range of industries, it is cost effective, easy to implement and works on a global scale. Reach out to a telecom consultant and discuss your two-factor authentication needs.
DAS Solutions Team.