As criminals become more diligent in their efforts to penetrate users’ defences, businesses must become more active in maintaining their data integrity.
Customers, more accustomed to just sending an email as if it were going by post, might react uncomfortably to any extra steps required. Fortunately, customers are becoming better informed and the process is getting easier.
The objective is to make two-factor identification as easy as possible for end-users while at the same time ensuring that it is difficult for miscreants to bypass it.
Sounds formidable? Relax! Two-factor authentication (2FA) has been evolving to combat those clever crooks.
How Does It Work?
2FA adds an extra layer to authentication protocols. It can come in many forms. Sometimes it is biometric, requiring that a voice, fingerprint, retinal scan or some other unique item be part of the mix.
These need extensive record-keeping and PII (personally identifiable information) storage, which can add significantly to overheads, as well as causing additional security concerns should that storage ever be compromised.
However, while such techniques are possible, they’re not practical in most cases. Instead, institutions such as banks issue unique identity cards to (for example) operate an automated teller machine (ATM). Such cards are useless without the PIN (personal identification number).
This security relies on having a specific item and combining it with a particular piece of knowledge. Bank cards can be lost when a wallet is stolen or misplaced, but the cards themselves are useless without the PIN.
Two-factor authentication augments the traditional ’username’ and ‘password’ paradigm.
Benefits of Two-factor Authentication
Organised gangs, or even solo criminals, have found strategies to trick otherwise smart people into making some strikingly bad decisions such as granting secure access to strangers or sharing passwords.
2FA through SMS makes the process sufficiently difficult for criminals that, by and large, the majority of us are too uninteresting to draw attention.
Eliminating a Step
The IoT, or Internet of Things, has been a great boon to humanity (as well as a bane, in some instances). It means that 5 billion smartphones are currently in use plus innumerable other devices that can receive SMS messages.
According to current estimates, 2½ billion Earthlings carry at least one smartphone (aside from all our other devices).
It’s with us almost all the time, within easy reach, and we have become quite reliant on it.
2FA services don’t have to issue discreet identification tools; nor do they have to store unnecessary information about individuals.
We can still have names and passwords, but now, having thus identified ourselves, the service can use SMS authentication to send us a text message with a temporary PIN that expires in just a minute or two.
You now know something (name and password) and have something (your phone), so you can proceed. What could be easier?
Fears Away, Customers Will Use It
Some companies think customers will rebel and take their business elsewhere. As proof, they often point to the fact that only 10% of Gmail users turn 2FA on – or, more particularly, 90% do not.
While using 2FA is undoubtedly a good idea, you need to be aware of the paradigm that is at work here. People often use a security company or private ISP email service for their ‘important’ mail, and Gmail to absorb SPAM and provide communication with untrusted websites.
Those that use it for ‘everything’ tend to take more care; for the remainder, it isn’t worth the extra effort.
Customers Are Now Demanding 2FA for Financial Transactions
When it comes to moving money about, on the other hand, customers tend to be much more particular and to take advantage of additional security measures.
If you don’t offer SMS authentication services, they will move to another provider. Popular websites such as Amazon, LinkedIn, PayPal and DropBox require 2FA for financial transactions from unknown devices, or for exchanging PII.
For convenience, you’ll frequently find little checkboxes that say ‘Trust this device’, which means that future transactions through that device are automatically trusted.
If you borrow a friend’s tablet to log into your bank account, you will be required to obtain a one-time and time-limited authentication code, but on your registered device, it will merely be a matter of using your usual password and name.
Some sites require that you certify a device just once; others monthly, or annually. High-security sites require 2FA at every single login.
Challenges of Two-Factor Authentication
2FA is not a panacea because expert hackers can do SMS interception and instant call-forwarding – all this to send the resultant code elsewhere.
However, ‘Don’t panic!’, as Douglas Noel Adams once advised us. It takes a massive amount of work, and it is usually restricted to dishonest employees within a GSM service provider, to create these exploit opportunities.
When there is significant gain to be had, crooks are willing to expend more effort.
Those transferring tens of thousands or millions (or in the case of celebrities, all their nude photos) need to take additional precautions, but that doesn’t concern the majority of the population.
Some systems are intrinsically weak or guarded by customer service representatives who are far too anxious to reset passwords. It’s likely best to stick with reputable companies using a name-brand service.
Of course, 2FA can be problematic for people who feel obliged to obtain a new smartphone every year. They must update all their accounts, identifying the new device (adding new and deleting old permissions), before they can access them seamlessly. Such is the cost of always having the latest technology…
More Tools for 2FA
You might think there are better tools to be had. There are app tools, such as Google Authenticator (see a working test example here), that are proof against ‘SMS interception’, or, if you are an Apple-fan, PUSH notifications that don’t use the SMS system either.
You can use something like that if it appeals to you. In high-security environments, there exist even stronger tools, and they are frequently used when necessary.
You may have heard about a USB-like key-fob device that generates a random password on request, for instance. This is useful for an organisation but considerably less so for dealing with thousands of members of the general public.
The Takeaway
All of these are great systems and overcome any perceived weaknesses of SMS-driven 2FA. The truth, however, is that said weaknesses are minor and not necessarily intrinsic. The blame nearly always lies with the implementation of the protocols by individual communications companies.
Those flaws will become academic in time as we move towards eliminating vulnerabilities in exploited protocols like SS7 (used to enable roaming on different phone networks).
SMS is an excellent option because people already understand it very well, it’s ubiquitous and it complicates hackers’ lives.
Protect yourselves and your clients, as we’ve done for Cloud Data Service, a web and software development agency that relies on SMS 2FA security to make sure its clients’ information remains private.
If you want a reliable, secure communication channel for your clients, connect with one of our TextMagic experts via our Online Contact Form or register for a free trial, so you can see how it works for yourself!