Multifactor authentication is gaining steam as a default security mechanism for businesses that provide consumer goods and services. With a steady stream of cybersecurity threats and emerging data privacy regulations impacting organizations across financial services, retail, e-commerce and other industries, security has become a critical business issue.
While it may be tempting to simply pick what appears to be the best authentication method for the company’s site, humans can be stubborn, and users may be resistant to certain types. Picking only one option and insisting that all customers use it may lead to loss of business. Instead, offer customers a variety of options and let them choose.
While one selection might be marginally less secure than another, customer choice builds goodwill and maintains a customer-centric strategy. By giving options, business can ensure that when users are in a hurry and suddenly faced with an elaborate setup for a new logon procedure, they won’t leave for a different provider.
With board members and C-level executives paying more attention to data security risk than ever before, IT, compliance and information security professionals are working to batten down the hatches. Multifactor authentication has emerged as go-to best practice. But reconciling strict security measures with usability and experience for consumers is easier said than done.
Customer experience and marketing teams must work with information security as multifactor authentication measures are implemented to strike the right balance between tight security and accessibility. Doing this requires a foundational understanding of the various options for multifactor authentication, so teams can build an architecture that prevents fraud and breach, while maintaining customer satisfaction.
New methods are being developed all the time, so organizations must stay up-to-date and build processes that allow for new approaches to be incorporated as needed. Here are some of the latest new verification methods:
Code sent via SMS: The most commonly used method, this is triggered when the user enters a password into the system and it then automatically sends a code by SMS. The user enters into the code into the system within a prescribed period of time to gain access. This method is simple, it works on any phone (not just a smartphone) and doesn't require data charges. Transmissions can be intercepted by hackers, but these types of attacks are typically not executed at scale.
App-based (not internet reliant): An application generates a code that expires after a prescribed period of time, which is based on a secret key as well as the current time, and the user enters this in the website login form (e.g. Google Authenticator). No network connection is needed, but users must have a smartphone with the proper app installed.
App-based (internet reliant): This option is similar to the method above, but it also sends a notification to the user’s device when the user tries to access the account from an unknown location (e.g. Microsoft Authenticator). This is more secure than an app-based system that doesn't use the internet, but can’t be used without a connection and may incur data charges for the user.
Email verification: Most people have experienced this method when registering for a new service or resetting a password. It is easy to implement, but because it requires the user to log into an email account, it may trigger another authentication moment and can dampen the user experience. This method is not considered among the most secure.
Voice call verification: When a user logs in with a password, the system places a telephone call (usually through an automated system) to verify. This option can be used even with customers that don't have mobile phones, and is often a fallback for users that only have landlines or can’t accept SMS. To use this effectively the authentication solution provider should validate the telephone number and determine whether it can receive a text message, and if not, send a voice call in the language indicated by the country code in the user's telephone number.
Time and place verification: The system uses the customer's geographic location and the times they usually log-in. For example, live data is obtained
by querying the current mobile operator servicing the number which provides information on phone status (whether it's on or off) and roaming details (which country, which carrier) among others. This means the system can check in with the user if they suddenly log in from a completely different location in the middle of the night. This option requires some time and expertise to set up, but can be less invasive to the customer.
Dongle or other device: This option requires that the user have a device that plugs into the mobile phone or the computer, which then generates an access code. Google uses this method and claims that it has eliminated phishing for employees. While this method is very secure, it also requires some expertise on the part of the user, and willingness to take the extra step. While this can work well for employees, there isn't an easy way to issue such a device to customers.
Biometrics: Biological attributes, ranging from fingerprints to retinal and iris scans, are another emerging category of authentication. Biometrics can be very secure, but requires significant effort and expense to set up and maintain. Also, like dongles, while it may be useful for employees, the model doesn’t easily lend itself to deploying across a worldwide customer base.
