Two-Factor Authentication: What You Need to Know February 20, 2015 by Marla Hay best practices, security, social login As consumers and business become more savvy about online security technology, you’re likely hearing more about two-factor technology, and probably wondering what it means for authentication on your own websites and whether it’s something you need. We can help you navigate these discussions to determine what the right authentication strategy is for your business. I’ll outline the basics of what it is and how and when it should be used to improve the security of your site, without causing undue friction during the sign-in process. What is two-factor authentication? Two-factor authentication is a method for asserting identity that involves two different mechanisms. Commonly, two-factor uses a combination of something you have, like a cell phone, and something you know, like a password. Two-factor feels like a new technology, but it’s actually been around for a while. Every time you withdraw money using a bank card, you’re using a two-factor authentication. The bank card is the “something you have” and your PIN is the “something you know.” In the past few years, biometric authentication “something you are” has become more common as one of the two authentication factors. This manifests in tools like Apple’s TouchID – which has replaced the PIN in the iPhone 6. Business are using two-factor authorization to make their applications more secure. Requiring two pieces of information inherently means there is more corroborating evidence that a person is who they say they are. However, just because two-factor authorization is in place, doesn’t mean the site or data is impervious to hacking – it just means the hacker has to get through two security features instead of one. If a hacker is in possession of a device and the user has a weak password, they may still be vulnerable to attack. Or, if a hacker is able to ascertain the tokens generated by the second factor device, like an RSA key, they’ve reduced the complexity back to a single factor for those compromised accounts. That doesn’t mean two-factor isn’t a security improvement over a single factor, it just means that authentication needs to be managed in a secure way, even when two-factor is in place. Do you need it? As two-factor authentication has become more common, businesses are increasingly looking into whether it’s something they should add to their consumer-facing sites. Because it adds an extra step to the authentication process, there are concerns about whether two-factor means a trade-off in usability vs. security. First, consider that many social identity providers already offer two-factor authentication for their users. This means, if your customer desires the security of two-factor authentication, and your site offers social login, your customer has the option of adding two-factor to their account already. This is an efficient way for consumers to protect themselves while avoiding the potential usability trade-offs of forcing every site to offer a different version of two-factor authentication. Then, consider the security needs for your particular site. If the security goals for your site are paramount over a marginal increase in friction, two-factor may be a good solution. Even in that case, there are methods for mitigating friction, like detecting a user’s registered device, which enables them to bypass device validation. Finally, if your site has multiple layers of access, consider using two-factor as a method to step-up authentication only when a consumer attempts to move into a higher security area. For those sites where two-factor authentication is needed, Janrain offers the ability to establish a second factor on top of social authentication or authentication. Through SMS messages, Janrain triggers the user to validate that they are currently in possession of a mobile device, by validating a code sent to their registered mobile number. To learn more about how this works for your business, contact your Janrain account manager or firstname.lastname@example.org.