USA Today reports on the new app Authy, which offers a two-factor authentication service that developers can easily integrate into websites and web apps.
But what is two-factor authentication (2FA)? Many accounts only require a user to type in a login and password. 2FA goes one step further, requiring an additional layer of security. Right now, 2FA is usually optional, and it's most commonly found on banking sites that ask users to enter another passcode or PIN after the initial login.
Authy, like a few other 2FA services, is linked to your smartphone. When a user tries to log into a website, Authy sends a security code to their phone, prompting users to…
- Open the Authy app.
- Read the numerical code.
- Type the code into the website.
The code expires in 20 seconds so hackers won't be able to steal and use these codes.
It might seem like a hassle to use your phone anytime you want to log into Gmail, but that's actually where Authy's security benefit comes from. Because the app is linked to your phone, a hacker won't be able to access your accounts unless they've physically stolen your phone or somehow compromised the Authy app.
Regardless of whether Authy takes off, a service like it may end up streamlining two-factor authentication and making it easy for developers to offer a more secure online environment. Because you may need to answer client questions about 2FA, let's go over what developers need to know and what benefits it can offer.
Account Security: How Secure is Two-Factor Authentication?
So the question remains: is 2FA secure? As an IT professional, you know that nothing is 100 percent secure. 2FA accounts are still vulnerable to man-in-the-middle attacks, where a hacker hijacks the user's data as it's transferred in a browser or over unencrypted Wi-Fi. (For an example of these cyber attacks in action, see our recent report, “Banking Trojans: Not Just for Banks Anymore.”)
But with that said, 2FA is more secure than traditional account security, and given its relative ease, it could appeal to both clients who want an additional layer of security and developers who want simple ways to boost their data security.
Should Developers Make the Switch to 2FA?
In our recent article, "In Data Security, Compliance Isn't Enough," we reported that businesses are ready to spend more on data security. IT departments are realizing that they need to do more than follow industry standards; they need to maintain a strong security posture.
If your clients are looking to incorporate 2FA into their business, here's how you should break down the benefits:
- Security. Two-factor authentication is simple and cost-effective. As long as users aren't too lazy, they'll be willing to take a few extra seconds to increase their security.
- Development. 2FA is easy enough to incorporate in your code. Companies like Authy strive to make their service as simple as possible, so that you can copy and paste sample code. For instance, Authy offers libraries of preexisting code for Python, Java, Ruby, and other platforms.
- Marketing. Having a service like Authy or Google Authenticator allows a client to advertise that their website or service offers 2FA. Many security-conscious users will be looking for these additional levels of security.
What's the downside to 2FA? Certainly, the biggest downside is the inconvenience, however slight, 2FA imposes on users. Many businesses are hesitant to make it harder for clients to log into their site. Think Amazon's 1-click purchasing service. Two-factor authentication, regardless of how streamlined it is, still forces users to take an extra step.
As a developer, make sure you talk through these specs with your client before you begin the project. Run various security options by them and give them the opportunity to weigh in. Documenting their choices can help you avoid validation / verification disputes down the road and limit your liability.