Sign in 101: 2FA and passwordless
Help your users secure their accounts and promote industry leading digital authentication.
08 April 2019
Account sign in security is an important and sensitive matter and digital platforms often put extensive efforts into promoting secure login concepts, like strong and unique passwords.
While the majority of users is aware that secure passwords are important to protect their accounts, far too often convenience wins over choosing suitable passwords. That makes it easy for bad actors to take over accounts, which shines a bad light on your platform and can cause data breach or spam.
What is 2FA?
To encourage users to protect their account a variety of so called 2 factor concepts, or 2FA, were developed. When using an implementation of 2FA the goal is simply to require two separate factors to approve a sign in. Usually the password would be the first factor and an other factor after the password has been entered will confirm the login.
As a best practice the second factor should ideally come from a completely different source, which means that it should not be produced or accessible on the same device that is used to sign-in.
If an unauthorised third party gains access to a password and maybe even the users device, 2FA will only be able to prevent such access if the second factor comes from a completely different place, that is not accessible by the attacker.
One of the first implementations of a second login factor is the SMS based TAC or OTP, where a one time password being sent to the users cellphone via SMS. This method adds more security than a password only sign-in process, but has several flaws which lead to experts advising against it:
- A OTP via SMS can easily fall in the hands of a third party, for example if access to the cell phone is compromised or via the mobile network
- Sending SMS messages incurs cost for the digital platform
- SMS as a transport gateway is slow and not always reliable, especially when a user is on roaming
For those reasons in recent years many platforms moved to different implementations that are more secure, convenient and reliable for users. One of those is the time-based one-time password (TOTP). This builds on HOTP, which stands for HMAC-based one-time password, an algorithm that generates authentication codes, similar to what is sent as a TAC, based on an encryption key.
With TOTP users can get a 2FA code usually through a vendor issued app on their cellphone or computer, which will be connected to the users account. Alternatively companies like Google offer their own implementation which can be leveraged by other platforms to offer TOTP through Googles infrastructure.
This form of 2FA auth is a lot more secure and easy to apply for users, which enables a wide usage and deters bad actors effectively from breaching accounts. Integrating TOTP is often also a rather easy measure for development teams, which often can be helped by several ready to use extensions for common programming languages.
How to go passwordless?
With technology emerging and a lot of development especially in the field of sign-in security the concept of "passwordless" is gaining traction in recent months.
In the context of web auth passwordless means that the password and/or the second factor are replaced by one, ideally hardware based, mechanism.
Those can be a fingerprint scanner, if the computer has one built in, or a dedicated secure pendrive that can be connected via USB.
Passwordless authentication has the advantage that there is no password that can be forgotten or get in the wrong hands, but still provides a higher level of security through hardware and biometrical features.
At the same time passwordless implementations often offer icnreased convenience and a swift and seamless sign-in experience.
At esugo we often advise and analyse security needs of our clients and implement suitable measures to protect accounts, personal data and proprietary information. If you are considering integrating 2FA, going passwordless or other options your business has to increase security then get in touch for a free consulting session via the form below or email to firstname.lastname@example.org!