After this story was scheduled to publish, news broke of a security hack at Reddit. Ars Technica wrote that phone-based 2FA was to blame, and even Reddit conceded that perhaps their 2FA wasn’t as secure as they had hoped.
We think security experts know both the benefits and the drawbacks of phone-based 2FA, and have always had to make certain trade-offs. We discuss this “balancing act” below.
Imagine doing business online as working an old-fashioned balance scale. In one of this scale’s baskets are quick access, ease of use, and all the other convenience-focused features that make online transactions popular. In the other are user privacy and security features that keep user data safe and users themselves confident.
When we talk about “authentication challenges,” we’re really talking about the challenges businesses shoulder as they attempt to balance those two critical baskets. Put too much “stuff” in one and users have to jump through a number of hoops just to purchase dish towels or send a message. Overload the other and users have no trouble getting into their accounts— but neither do hackers or other malicious users, all of whom flock to lax security like ants to a picnic.
If striking a balance isn’t simple, it’s one of the most important things business and other web-based services can do for their users and the organization’s own health. Fortunately, new techniques are making the balancing act easier than ever.
A Brief History of Authentication Challenges
For a white-hat set of tools, the earliest days of user authentication have their origin in a black-hat source. Early hackers, wishing to shield discussion of their illegal behavior from automated law-enforcement searches (among other needs), gradually developed a “language” that replaced standard letters with numerals and ASCII characters. This practice became known as “l33tspeak” or “leet speak,” as Network World notes.
Then came the CAPTCHA, a technique that, according to Mental Floss, simultaneously saved the web from anarchy and frustrated legitimate users. The tool presented an image that would look like letters and numbers to human eyes but a garbled mess to bots deployed by hackers. While effective, anyone who has yelled, “That’s what I typed!” after being asked to try again can attest that the practice wasn’t—and still isn’t—perfect.
The above examples are important because they highlight how many security needs come down to stopping automated tools—law enforcement filters, if you’re a hacker; hackers themselves, if you’re a legitimate user—from achieving their means. When human hackers devise a technique, the the next step is usually automating the process, then deploying it across the internet at speeds faster than huge teams of humans could reproduce.
It should be noted that artificial intelligence in business is not the same as the automated intelligence hackers use. In today’s web, automated tools threaten to undermine everything from e-commerce to personal communications. Authentication challenges can even stymie online games, where bots ruin the fun in the name of modest gains. In one example from Ars Technica, hackers deploying bots to a trivia game where a pot is split among all winners caused payouts to drop from over $30 to just 23 cents.
Letting the Right Ones In
To borrow another comparison, the constant back-and-forth between security/privacy designers and the hackers who wish to undermine them is basically an arms race. One side develops a tool that overrides the other’s techniques, which causes them to go back to the drawing board and return with something even better, and so on. This basic dance has effectively provided the bedrock of the internet’s security structure.
Now, though, the good guys have developed something that’s fairly hard to top in the right context. Enter two-factor authentication, popularly shortened to “2FA.” The tools and techniques under the 2FA banner are built from a basic concept: Even if hackers or their bots have command of one of your accounts (or one of your devices), they likely don’t have access to every account and device in your stable. Like a house door with multiple unique locks, the services require unauthorized entrants to do a lot more legwork to accomplish their illicit ends.
Most web users have deployed some manner of 2FA by this point, even if they don’t realize it. When a financial service texts a code to a user’s registered cell number and asks them to enter it before authorizing access, for instance, two-factor authentication is the driving principle. Moreover, the process is inherently strong at stopping the very weaknesses fraudsters exploit when they deploy bots. Two-factor authentication is:
- Tied to the user: Because a 2FA solution relies on info linked to user accounts, it’s much harder for attackers to reach all the “access points” they need to gain entry.
- Harder to spoof: Attackers may be able to register false accounts with bots, but getting a unique phone number for every attempt is a different story.
- Distributed: Unlike with other authentication challenges, 2FA solutions remove the login point from the authentication means, creating multiple “fences” for attackers to hop.
- Easy to deploy: While building a 2FA system from scratch is a deeply complex process, the availability of quality APIs ensures any business with authentication needs has fast, affordable access.
Turning back to the scales analogy above, 2FA is also light enough not to tip them too far towards the privacy/security basket. Because 2FA APIs are built for customization, businesses can deploy them in the way they feel is most consistent with their customers’ lifestyles; because most web-savvy customers carry multiple devices, reaching into one’s pocket to retrieve a confirmation code through a text message adds strong protection against fraud without introducing unforgivable inconvenience.
In all, these advantages are why so many services protecting sensitive customer information—from banks and healthcare systems to online gaming platforms—have deployed 2FA to help lessen their growing list of authentication headaches. As a means to combat fraud or a simple way to keep consumers safer, it hits just the right notes without “tipping the scales” so far that users feel hassled every time they need to log in. Businesses looking to up their security without weighty technical complexity would be well-advised to explore an API—before the bots come calling.