When it comes to system security and protecting your users’ data, there are many approaches and safeguards that you should implement, for example encryption of sensitive data and regular vulnerability scanning to name but a few. Information Security is the responsibility of the company that holds that data, and it has obligations under the Data Protection Act to keep it secure.
So, where does Two-Factor Authentication fit into the equation? As one of many possible security measures, Two-Factor Authentication can play a significant role but only when part of a bigger-picture of security; an important piece of a much larger jigsaw, if you will.
Two-Factor Authentication Makes Customers Feel Secure
At Telecoms Cloud, we conducted a survey recently where 80% of those questioned agreed that if they know a website they’re using doesn’t give them the option of protecting their account with Two-Factor Authentication (for example by sending an SMS), it makes them more hesitant about handing over personal details to that website. And that’s bad for business.
This, I believe, is symptomatic of consumers becoming ever-more tech savvy and as their understanding grows, so too will their demands for the services they use to be secure. Or, perhaps more accurately, they will want to feel that the service is secure.
Problem Solved? Not so fast…
As a company or system administrator, it could be tempting to focus more on not getting compromised in a big way, and overlook the threat of 1:1 password guessing. After all, is it really your problem if someone guesses one of your users’ passwords, or someone gets in because they wrote it down and dropped the post-it note on the tube? Even if it’s “entirely” the customer’s fault, that fact may not get in the way of a good story and the negative publicity could be almost as damaging as if that big breach had indeed happened. And if they don’t feel safe, customers can – and will – vote with their feet.
Equally, it would be foolhardy to presume that simply by adding Two-Factor Authentication to your website or application, you’ve solved all your problems and can sleep easy without worrying about security – far from it, and if the rest of your security approach isn’t up to scratch then the perceived higher level of security could just be masking a multitude of sins and end up with an even bigger problem! So, don’t position Two-Factor Authentication as the central focus of your security strategy.
I like to think of Two-Factor Authentication as the icing on the cake, underneath which is a well thought-out and robust security framework. However, don’t underestimate the icing on that cake; as a sys admin there are still external issues over which you have no control, that all the measures and policies in the world on your site can’t stop, and it’s here that Two-Factor Authentication can help to stop incursions in their tracks.
I’m talking about the cardinal sin of reusing passwords verbatim. If you think none of your users reuse passwords, then wake up – they do. You can have all the vulnerability scanning and encryption in the world, but if one of your users has come up with a really “secure” password that they’ve used on your site and also on another site with less robust security that goes on to get hacked, then there’s every chance the hacker will walk right into your system and steal that user’s information from your database… not via a back-door but via the front door – to which they had a key!
If you need proof of the problem, here it is:
- British Gas logins exposed online (BBC News, 28 October 2015)
- TalkTalk hacking crisis deepens as more details emerge (The Guardian, 23 October 2015)
- Hackers Publish Over 450,000 Emails and Passwords Stolen From Yahoo (PCWorld, 12 July 2012)
Fort Knox vs. the Sitting Ducks
Perhaps your most sensitive logon as a consumer is that of your online banking. Some banks insist on Two-Factor Authentication for logging on and sending any money, whilst others just let you logon with a username and password. It can be argued that these banks may have many other fraud controls beneath the surface, but which makes their customers feel safer and more confident to remain a customer?
Equally, whilst many web systems are set up very securely with all the best practices in the world in place, those that are not can end up undermining everything and everyone.
Whilst some users might find Two-Factor Authentication to be an annoyance, and in some ways it shouldn’t be necessary in the ideal world, over here in the real world where consumers reuse passwords and websites get hacked, it can play an important role in protecting users, and also in making users feel that they’re protected. And as consumers get more and more clued up, they will come to expect and demand a higher level of security, both behind the scenes and in front of the curtain.
If your business relies on customers trusting you with their information, especially if your clientèle is tech-savvy, then can you really afford not to offer Two-Factor Authentication?
If you’d like to add Two-Factor Authentication to your website or any other system, check out the tools available with the Telecoms Cloud API.
