The online world delivers instant access to unlimited shopping choices, nearly unlimited information, and global communications. It also offers an unprecedented degree of anonymity. This anonymity can be a blessing, but it also gives bad actors more places to hide as they work to steal information or to profit from scams and fraud.
To solve this problem, many companies have turned to user authentication technologies. Secure authentication is an effective method to protect your customers from stolen accounts and information. But how do you know what authentication method is right for your systems, infrastructure, and network?
What’s the difference between two-factor authentication (2FA) and multi-factor authentication (MFA)? Multi-factor authentication means using more than one user authentication factor and 2FA means using two different factors. MFA might mean two factors, or it could be more than two. So, 2FA is MFA, just at its most basic level.
There are three major categories for authentication factors:
The most common second factor used today is an SMS one time password (OTP). While SMS has its fair share of criticism in the security world, its popularity is anchored in two key advantages over other forms of a Possession factors:
As the leader in SMS 2FA, TeleSign is a strong believer in using multiple authentication factors for better platform security. But you’re probably wondering if you need more than two.
It's a natural question to ask. If two factors are good, three must be better, right? The truth is that each authentication type has its strengths and weaknesses. When it comes to the Knowledge factor, emails and passwords offer minimal friction to end users, but this information can easily become leaked and security questions can be guessed.
For Possession, with the widespread prevalence of smartphones, access to SMS passwords is easy, but these devices can be hijacked or phished. Other types of Possession require users to carry a separate physical device that generates a code or a fob to plug in for hardware authentication.
And when it comes to Inherence and biometric authentication, it’s very difficult to steal a thumb print or face scan. But, biometric technology is still expensive, can leave you vulnerable to biometric data breaches, and still has some level of inaccuracy.
As we know, you can’t ever achieve 100% platform protection all the time. It’s simply not possible. Innovative bad actors will always work to find work arounds and flaws. What you can do to prevent unauthorized access, fake accounts, and potential fraud is to layer identity and authentication measures that balance your security needs with user experience and conversion.
You might have heard people saying that SMS 2FA is not enough. In fact, you might even have heard that from us. Two-factor authentication only verifies “existence” and “possession” of the phone number-- it doesn’t check if the account itself is risky. So, even if you’ve successfully authenticated a user with 2FA, it’s not always enough on its own to prevent account fraud.
2FA does a lot of the authentication heavy lifting, but it can’t protect against everything. Phishing, social engineering attacks, session hacking, man-in-the-middle attacks, and other types of scams are all real threats to your platform security and won’t always be stopped by implementing 2FA.
You might be thinking: “If two factors aren’t enough, should I deploy all three methods of authentication: Possession, Knowledge, and Inherence? “
Maybe, but not necessarily. Adding additional verification measures improves confidence in identity of your user. However, additional factors and more challenges adds more friction to registrations and logins which can negatively affect conversion and user experience.
With all that in mind, the question you should be asking isn’t “what’s the best authentication method?” but instead is “how can I achieve the most platform security without adding too much friction for my end users?”
While SMS 2FA is not enough on its own, one-time SMS passcodes are still very effective at stopping many types of account theft and fraud. The prevalence of SMS makes it the simplest, most cost-effective way to reach the most users with minimum friction. But, will adding an additional factor check or challenge work for you?
Biometrics are certainly emerging as a viable second or third factor of authentication. But, today, they’re still expensive, and not as easy to deploy as other options. Adding additional knowledge challenges, or another possession challenge is an option, but these will also add friction.
When balancing friction with security, the best approach is a risk-based solution. Or, in other words, assessing the risk of the account, phone number, or other identifying information and challenging users for more information or additional authentications only when it shows elevated risk.
Digital Identity solutions like phone number reputation scoring can help determine individual risk-level for each user and phone number on your platform. With phone number reputation scoring, multiple behavior signals associated with that number are analyzed to achieve greater accuracy in identifying risky behavior and security threats to your system.
Mobile devices are an ever-present part of our society these days and phone numbers are almost always required for new account registration. By using data inherently tied to the phone numbers that you’re already using, you can immediately understand risk signals that point to SIM Swap Fraud, mis-matched ownership, and more to approve, reject, or challenge the users for more information.
The benefits of layering on risk scoring and digital identity go beyond just knowing if you should approve a new account— Digital Identity solutions like TeleSign’s Score and PhoneID can help identify potential SIM swap fraud, account access from suspicious locations, mis-matched account and phone number ownership, and more. These signals help protect you and your users from Account Takeover attacks during password resets, new user registrations, and transaction approvals.
Digital Identity solutions, like phone reputation scoring, all happen instantaneously and invisibly to your users. As a result, they don't introduce needless friction to the account registration or login process, making for a better user experience.
Deploying mandatory authentication methods to keep your customers safe will improve your certainty with the identity of your users. It goes without saying that MFA is a requirement to conduct business in today’s online world. SMS 2FA is still a great option for its accessibility and cost. Adding a Digital Identity solution to help you measure risk and help guide further challenges is a more seamless solution than mandatory third factor authentication and offers a better overall user experience by keeping friction low.
Our recommendation? Stick with SMS 2FA as your primary authentication. But layer it with Digital Identity solutions to help you identify risky users before they ever access your platform.