Two-factor authentication (2FA), or multi-factor authentication, plays an important part in account logins and account recoveries. It aims to prove that the person trying to access an account, really is who they say they are. In a previous blog, we looked at why passwords alone aren’t sufficient, and 2FA goes some way to mitigate some of the risks of a password-only approach. But is it the best solution?
2FA typically takes one of three forms: something you know, something you have, or something you are. However, the effectiveness of these different methods varies wildly. Some offer little more protection than a password, while others offer a poor customer experience, or put too much onus on the businesses to facilitate and maintain.
In our current climate, it’s more important than ever to have an effective solution in place to ensure customers have a secure login and account recovery experience. Remote is the new normal, so customers need access to online services more than ever. As a business, you want a solution that is easy to use for your customers, but also protects them from account takeovers.
What are the different types of 2FA?
As we’ve seen, the different types of 2FA are broadly categorized into three groups:
- Something you know
- Something you have
- Something you are
The first category, something you know, includes factors like a personal identification number (PIN), an answer to a ‘secret question’, or a specific keystroke pattern.
The second category, something you have, is typically a physical item that you’d have in your possession. For example, a credit card, a smartphone/device, a hardware token, or a software token. Smartphones and devices are often used as part of SMS-based 2FA, where a user is sent a one-time password or PIN, which allows them to log in to their account. Hardware tokens are often associated with online banking. In the early days, they generated random passcodes, and more recent versions have taken the form of card readers.
Finally, the third category, something you are, is a little more advanced. It makes use of an individual’s biometrics, with methods including fingerprint scanners, face ID, or voice recognition.
How secure is 2FA?
The answer to this question depends on what type of 2FA you opt for. Different methods have varying levels of security and effectiveness. 2FA is more secure than a password-only approach, but hackers who get a hold of the authentication factors can still gain access to accounts.
Let’s first examine the ‘something you know’ approach to 2FA. ‘Secret questions’, otherwise known as knowledge-based questions, have faced criticism in particular. If you make these questions too hard, for example ‘what was the mortgage repayment on your house in 2012?’ people will struggle to remember the answers. It can even be enough to deter customers from using your service altogether. But if you make them too easy—‘what car do you drive?’—it becomes very easy for anyone to find out the answer. This leaves your customers vulnerable to account takeover, and your business vulnerable to fraud.
If we turn to ‘something you have’ as a method of 2FA, we also see vulnerabilities. Hardware tokens have declined in popularity because they put a lot of onus on your business—they are expensive to both produce and distribute. And while nearly everyone carries a mobile device these days, 2FA that relies on a physical item immediately becomes vulnerable if that device is lost or stolen.
Many companies opt for SMS-based 2FA, where a one-time password is delivered to a device, because so many of their customers will have a mobile phone. However, text messages are vulnerable to interception from hackers, whether through phishing attacks, or vulnerabilities to a ‘man in the middle’. There have been several instances of SIM swaps in particular to target high-net-worth individuals. You can read more about SIM swaps in this blog.
Alternatives to 2FA
You want a solution that isn’t easy to hack; that can’t be lost, stolen or forgotten; and is still convenient and straightforward for both your customers to use and your business to implement.
This brings us to ‘something you are’ which makes use of an individual’s biometrics. Providing you have the right technology in place to support it, leveraging biometrics as a form of account login and recovery is one of the most secure and convenient ways to go about it.
After all, it’s incredibly difficult to replicate someone’s biometrics. On the whole, they can’t be hacked or stolen. And your customer is never going to lose something that’s connected to them.
We’ve already seen biometric technology become increasingly popular in everyday life—just think of how we unlock our mobile phones. At Onfido, we believe biometrics will continue to play a bigger role in our lives. Not only as a part of 2FA, and account recovery, but also when it comes to our online digital identities. And we believe this is the case for facial biometrics in particular.
Our solution means that a user can anchor their real identity to an account at sign-up, using a photo ID and a selfie. If they ever need to reaffirm their ownership of that account—whether that’s recovering it, or if risk signals indicate it might have been compromised—all a user needs to do is to snap a new selfie. We simply match it against the photo ID used at sign-up, to ensure it’s the real user regaining access to the account. You can read more about our selfie re-check service here.
To find out more about the different approaches to identity verification, take a look at our Guide to the identity landscape.