A string of high profile security breaches in recent months, most notably at TalkTalk and Three mobile, reflect the ever-present and ever-growing threat to the security of billions of online accounts. Breaches compromising the sensitive details of hundreds of millions of users have become a near common place event today.
In an attempt to address this threat, many companies advise users to select complex, unique passwords for each account they own and recommend changing these passwords on a regular basis. However, vast numbers of consumers tend to reuse old passwords or choose weak ones, in spite of the risk this poses. “123456” and “password” have topped SplashData’s annual “Worst Password” report as the most commonly used passwords– five years in a row.
For a while now security commentators and experts have been aware that usernames and passwords alone aren’t enough to protect users. The industry is starting to understand just how important added security is, in particular how important two-factor authentication (2FA) can be.
With the help of cloud communication platforms, companies can easily incorporate 2FA into the user experience. 2FA improves account security by requiring customers to provide a code that is transmitted to their own device. In the majority of cases a mobile device is a far more secure form of authentication compared to using say, your place of birth.
Unfortunately, despite the better security offered by 2FA you need only pay a visit to TwoFactorAuth.org to see how many businesses have yet to introduce a second tier of authentication.
SMS vs push notification
As a recent Microsoft study attests, adding new steps in the log-in process can be a risky business. Security fatigue can occur, frustrating the user to the extent that they may even decide to stop using their account. To this end, businesses have traditionally shied away from clunkier – though stronger – security. The research conducted by Microsoft found no substitute security method more easy to use, or implement, than passwords. They wrote, ‘Marginal gains are often not sufficient … to overcome significant transition costs’, concluding that the ‘funeral procession for passwords’ is likely still years away.
To showcase this issue, let’s look at the most popular method through which two-factor authentication is achieved: SMS. Users are prompted to send an SMS verification code to their phone number, and then are asked to enter the code into the website. Whilst this provides a stronger form of security than a username and password, businesses remain focused on converting as many website visitors as possible, and hence this can seem counterproductive.
Whilst there is no reason to avoid SMS verification in low-risk communications (for example: a text to let you know that your taxi has arrived), this type of communication, which is by default unencrypted, remains less well suited to high-risk communications. Luckily, the security industry is always trying to devise strong security measures that consumers will actually want, and be willing, to use. In the past year and a half, a new form of 2FA has appeared, which is based on a technology that we familiar and comfortable: push notifications.
Unlike SMS, push notifications can start a chain of end-to-end encrypted communications between the app and a secured authentication service, thus providing “Push authentication” which is then transmitted to your device over the internet. Simply replying to the push triggers secure software that then presents an intended message to the device owner. But instead of just being able transmit a numerical code in the form of random numbers, push notifications can include context in an authentication request. For example:
“An attempt to sign in to your account has been detected in Lapland. Is this you?”
Reactive fraud alerts only notify the victim to the illicit action, but a push notification gives the user the power to respond immediately and even prevent the attack from taking place. Most businesses should be considering utilising push notification in cloud based authentication scenarios because of the added levels of security and versatility that goes with this. Push is familiar and easy, and the technology is mature and reliable.
The end of the password era?
In recent months, new forms of push authentication have been introduced into the services of a number of popular and high profile consumer websites. Yahoo, Google, Microsoft, and even online gaming giant, Blizzard, are implementing “password-less” experiences, powered by push.
Although this development is fantastic news for the user, it doesn’t present an obvious adoption strategy for businesses that are looking to introduce similar security measures, because each of these solutions aim to serve a particular community alone.
Fortunately, we live in an age of readily available, flexible building blocks for software development that can scale and keep up with growing customer demands and changing business requirements. APIs continue to innovate, altering previously static industries like communications and payments.
What’s more, companies like live-streaming service Twitch and virtualisation leader VMware understand the importance of securing user accounts – that’s why they looked to cloud-driven, reliable two-factor authentication layers to further protect their communities.
In your migration to agile, cloud-based development, don’t leave the safety of your customers behind. Instead put serious consideration in strengthening your security capabilities by implementing two form authentication functionality.
Marc Boroditsky – VP & General Manager of Authentication at Twilio.
Marc is a seasoned entrepreneur with 30+ years computing experience including 25+ years with startups. He has founded and financed four startup software companies in electronic medical records, authentication and identity management and successfully completed the sale of the most recent one, Authy, to Twilio and before that, Passlogix, to Oracle. He’s currently the VP & General Manager of Authentication at Twilio.