Two-Factor Authentication (2FA) is a process that adds a second layer of security to verify the identity of the user. The first layer is your password. The second layer is a request to provide the correct details of your recovery email address or mobile phone number.
In some cases, the second layer could be in the form of a Captcha where you’ll be asked to click on images in a box, identify characters that are vaguely written, or simply click a button to “prove you’re human”.
Why Do Websites Use 2FA?
Websites use 2FA to make it more difficult for hackers to steal confidential information or take control of a user’s account. Gmail users are no doubt familiar with Google’s 2FA which can be initiated if the browser can’t be identified by the service.
Payment platforms such as PayPal use 2FAs and other forms of Multi-Factor Authentication (MFA) systems to secure the accounts of their users. An MFA adds another layer of protection to your account.
Large corporations such as Burger King, Walmart, and Amazon have invested in online portals where employees can retrieve information related to their payroll, benefits, taxes, and work schedules.
These online portals are covered by 2FA systems not only to secure the sites from hackers but also to restrict access from former employees.
What Are The Different Types Of 2FA?
Before we discuss the pros and cons of 2FA, let’s find out the different versions of this process so you can figure out which one is right for your business.
1. Security Questions
When creating an account, a dropdown menu will appear and ask you to choose from a set of security questions. You’ll be asked to select one question and provide the correct answer. In some cases, you’ll be asked to add a second security question and to include the correct answer as well. The second question acts as yet another layer of security.
2. SMS/Email Messages
In our previous example, after you’ve provided your email address or mobile phone number, you’ll be sent a verification code or number which you’ll be asked to enter in a query box before you can access your account.
- First Layer – Password
- Second Layer – Confirmation of Email Address or Mobile Phone Number
- Third Layer – Enter Verification Code or Number in the Query Box
3. One Time Passwords (OTP)
In this type of 2FA, you’ll need an authenticator app in order to scan a QR or Quick Response Code that provides you with a “key”. Upload the key into the authenticator app in order to unlock a set of unique, one-time passwords. The passwords created by this system change every time.
4. U2F Keys
U2F or Universal 2nd Factor is a type of 2FA that uses a physical device to authenticate users who are in the process of accessing supported websites. The physical device is in the form of a USB although there are versions where a Bluetooth device is used.
5. Push Notifications
Sometimes when you try to access your social media accounts or subscription services such as Netflix, you’ll receive a notification via email or text someone is attempting to log into your account or that the platform does not recognize the device or browser that’s accessed your account.
You only have to choose between 2 options – “Approve” or “Decline” to respond to the notification. There are websites that recommend that you change your password immediately if you choose “Decline”.
Biometrics use hardware and software that authenticates the identity of the user by scanning the fingerprint, the face, or through voice recognition systems.
Because a person’s fingerprint is unique, this type of 2FA is difficult to hack. Although as we’ll explain in the next section, Biometric technology has its own set of cons.
The Pros And Cons Of 2FA
A study prepared by the Identity Theft Resource Center revealed that the number of data breaches in 2021 hit 1,111 which was much higher than in 2020 and on record pace to be the highest number of breaches in one year.
Hacking has become a lucrative business. As the Internet continues to grow, there will be more opportunities for cyber-criminals to launch attacks intended to steal valuable information.
Setting up a 2FA system on your website is a proven method in preventing hacking attempts. While there are obvious benefits to having 2FA available for your website, there are also drawbacks.
1. The Pros of 2FA
- Provides Layers of Security
Don’t underestimate the capabilities of hackers. Just because you have a 12 character password that combines letters, numbers, and special characters, it doesn’t mean it can’t be deciphered.
Once your password has been uncovered, your account is compromised. 2FA adds another layer of security – and another if you wish – that keeps the hacker off-balance and frustrated.
- Variety Makes Security More Complex
Let’s clear up the misconception that 2FA is the same as Two-Step Authentication. It’s not. 2SA is a process that incorporates control or restriction measures that are of the same type.
An example of 2SA is a website that asks the user to provide both username and password. With 2SA, the probability of one or both of the control measures getting compromised is higher.
However, if you add a distinct factor such as OTP to the 2SA, then the security protocol becomes more complex.
- Cost-Effective Security Solution
SMS-based 2FA systems, OTP, and Push Notification types of 2FA are inexpensive and only require adjustments from the programming side of your website.
Biometric scanning can be expensive based on the features available on your setup but many vendors are open to negotiating the price if you can guarantee the volume of users.
2. The Cons of 2FA
- It’s Not 100% Fool-Proof
If the answers to the questions posed by your 2FA can be found online, then your account can easily be breached.
For example, questions such as “When is your birthday?”, “What is your Mother’s maiden middle name?”, and “Which high school did you go to?” can be found on your online profile.
Meanwhile, answers to questions like “Who is your favorite basketball player”, “What is your favorite food?”, and “What is the name of your first pet?” can be uncovered by doing a bit of sleuthing on social media.
SMS-type 2FA can fall victim not to hackers but to poor internet service. If there’s a drop-off in bandwidth or the system is undergoing maintenance work, you might not receive the verification code.
Errors in programming could lead to major issues in the future.
For example, if your website only recognizes 7-digit phone numbers, what happens when a user comes from a region that switched to an 8-digit phone numbering system?
This became an issue with PayPal in the Philippines when the major telecommunication companies added the 8th digit to landline numbers. Users weren’t able to access their PayPal accounts.
- 2FA Can Be An Annoying Experience
Captchas are used to identify if the user is human. Sometimes the images can require a bit more thinking – “Is that a part of the traffic sign on the box?” If your logic doesn’t line up with the intent of the program, it might take a few more minutes to get into your account.
If you’re an elderly person or just someone with poor eyesight, you’ll have a hard time deciphering images on a small screen.
Biometric technology can malfunction. If for some reason the biometric system can’t recognize your fingerprint or face, you’ll be locked out of your account. The same is true if your U2F device isn’t compatible with the computer you’re using.
Definitely, it’s worth considering a 2FA system for your website. When it comes to site security, you can’t be complacent. Adding another layer of security is always a good idea.
Your choice of 2FA will depend on two considerations – type of business and budget.
If your website doesn’t collect high-level information such as Social Security Number, credit card number, and bank account numbers, using SMS-type and Push Notification 2FA processes should be enough.
However, if your website does collect confidential information, we recommend U2F and OTP types of 2FA systems. It’s also a good idea to add biometric solutions but make sure there’s a built-in feature to override the system if the technology malfunctions.
Keep in mind that 2FA systems aren’t perfect. Thus, having it available isn’t a 100% guarantee that your website will be protected from hackers. It will deter hacking attempts but like all security systems, you have to keep your 2FA process updated.
If you want to learn more about 2FA and which type is best for your business, give us a call. We can discuss how to set one up for your website and put measures in place to ensure 24/7 protection.
And if you found our article to be a good read, please go ahead and share it with someone who’s thinking about incorporating 2FA on his website.