At one time, almost all digital accounts were secured with a simple login ID and password or single-factor authentication. This was generally considered to be more than sufficient since there was also very little value actually stored digitally and the world was not yet connected. As the internet grew and more important information began to be stored digitally, simple login credentials alone became insufficient to secure and protect high-value data.
Why Single Factor Authentication Is No Longer Sufficient
The problem with simple login credentials is largely that they are easily stolen or even just guessed. Unfortunately, people are creatures of both habit and convenience. They are prone to using the same login credentials for low-security sites such as their grocery store loyalty program or personal email account as they are for high-security sites like their bank or credit card issuer. Low-security sites also tend to be easy to hack, which means millions of login credentials can be downloaded and sold on the dark web, which can then be used to log in to more high-security sites. Even when login credentials are not stolen, they can also be all too easy to simply guess. Every year, Splashdata combs the dark web to come up with their top 100 list of worst passwords. Every year, the passwords "123456" and "Password" continue to top the list, the same way they have for nearly the last decade.
What is 2FA?
2FA authentication utilizes at least two of three different types of identity verification.
The three types of identity verification are:
- Something you know: This can include your login credentials such as a login ID and password, but it can also include a PIN or the answers to prearranged security questions that only you would know. General information like your address or phone number is well-known by friends and family members and easily obtained by others, so security questions are generally related to personal information known only to you or not easily obtained. This can include information like the name of your first pet or boyfriend, the name of the street you grew up on or the name of a favorite teacher in school.
- Something you have: Something you have can be a credit or debit card, a key card or fob, or a specific device. Something you have can also include an account that you control such as an email or cellular account.
- Something you are: Every human being has a number of unique identifiers that are specific to them and them alone. Fingerprints are one of these, but your bone structure and the shape of your face is another. Your heartbeat also creates a unique signature that can be monitored by a smartwatch that can then grant access to other devices by you and only you.
How Does 2FA Work?
2FA authentication requires two of the above factors to be used to verify a user's identity and authenticate their authorization to access an account. Today, devices make this process so smooth and seamless that most users are completely unaware that multiple factors are being used to grant them access to an account. For instance, if a user owns a device that has a fingerprint scanner or uses facial recognition software, all they are aware of is pressing a button or holding the device up to their face and their accounts open automatically. In reality, what is happening behind the scenes is actually a very complex and complicated authorization process.
When the device recognizes the individual's face or fingerprint, it automatically enters their login credentials into the system the user is trying to access. The system then verifies the unique identifier of the device they are using in addition to their login credentials. This means both the device and the system are both engaging in 2FA authentication, which results in a multi-factor authentication process.
Smart technology is also used to monitor login attempts. When everything is in order in the two-factor authentication process, users can be given swift access. When anything is deemed to be amiss during the process, however, it can trigger additional security protocols. For instance, if a user attempts to log in from a device that is not recognized, a code can be sent to the account holder's phone or email address. This secondary protocol also serves two purposes.
If the person attempting to access an account is the legitimate account holder or a legitimately authorized user, then entering the passcode will grant them access. If the person attempting to access the account is not an authorized user, however, then a code being sent to the authorized user's cellular or email account will alert them to someone trying to access their account.
Ready for the next step?
Provide your good customers with a sleek, speedy and secure login experience. Choose invisible device-based authentication or multifactor methods that adapt based on a perceived threat.