By Anna Korobkina, Business Development Manager, Protectimus Solutions LLP



Excessive carelessness often plays bad jokes on us. Many large password hacks of 2015 showed how vulnerable our data are if stored online. Among most prominent hacks are the accidents with the LinkedIn, Twitter, Ashley Madison, Evernote, etc.

The usual password authentication is not secure. Most passwords are simple and easy to guess or to hack. Moreover, people often use one password for several websites.

The ideal solution to this problem is two-factor authentication. This method of data protection is widely used by companies, which have a serious approach to all risks associated with the potential compromise of their customers’ accounts and the leak of this information on the black market.

But there is another group of companies, who see some obstacles for the implementation of 2-factor authentication. They are afraid of 2FA because of some misconceptions about its functionality and reliability.

We are going to expose or confirm 6 most popular myths about two-factor authentication. Thus, we will understand whether 2FA is reliable, or not.

Myth №1. If your resource has suffered from a hacker attack, the most excellent and quick response to the situation is the integration of two-factor authentication as the core of data protection system.

Reality. It is impossible to implement 2-factor authentication solution in your system in a day or two. To use 2FA, you need to supply your team and users with hardware OTP tokens for one-time passwords generation. Or at least making them install special smartphone apps for two-factor authentication. The users need one-time passwords to log into the website. If 2FA is implemented too quickly, it is likely that many users will not be able to log in their accounts. They will not have the required devices. The best solution to avoid this is to deliver one-time passwords via text messages. But you will still need the mobile numbers of your customers.

Myth №2. Two-factor authentication is not exposed to common threats.

Reality. 2-step verification significantly improves safety. But at the same time, it attracts the attention of professional hackers. It protects important data. We should understand that the reliability of 2-factor authentication with the help of text messages depends on the security measures taken by the mobile provider delivering these messages. Besides, some malicious programs can occur on the user’s smartphone. Some kinds of smartphone malware can intercept the messages or even voice calls with OTP passwords and send them to the attackers.

Myth №3. Two-factor authentication is impossible with only one gadget.

Reality. Modern technologies allow us to use smartphones for many tasks. It is convenient to have all the necessary information at hand. Two-factor authentication providers have already noticed this trend. They suggest using smartphones as OTP tokens. You need only to install a special application on your smartphone. For example, Google Authenticator, Protectimus SMART, Defender Soft Token, etc. This possibility eliminates the need for the second device to receive one-time passwords.

Myth №4. The main methods of two-step authentication are similar and differ only in insignificant details.

Reality. The first 2FA methods were based on the use of TAN-code cards and hardware tokens. But nowadays the authentication with text messages, emails, and applications for smartphones are popular. Especially, if it is supplemented with the contextual authentication technology. The essence of the contextual authentication lies in the fact that the system determines from what browser the user usually logs in, which operating system he uses, what are the color depth and graphics resolution of his display, etc. And the one-time password is requested only when the user logs in from another device or another location.

Myth №5. Two-factor authentication – is nothing more than an annoying and irritating technical requirement. It doesn’t bring any solid benefit to the business.

Reality. Some companies consider 2-step verification as an irritant factor. They often use technologies, which can hardly be called an effective two-way authentication. For example, fingerprint authentication. As practice shows, biometrics is not effective enough yet. If an attacker steals your fingerprint, you will never be able to use this method of authentication again. But with a wise approach to data protection, you can choose 2FA which will be convenient to the users, not expensive for the company, and secure at the same time. Contextual authentication is a bright example of convenient 2-step verification. Companies, which doubt the need of two-factor authentication to protect the information, have to take into consideration one fact. If their users’ money or personal information is stolen, it would be a powerful blow to the company’s reputation and budget. It would cost them much more than the price for the integration of 2-factor authentication solution.

Myth №6. Two-factor authentication is expensive.

Reality. Some 2FA methods are expensive, but not all. For example, text message authentication costs a lot of money. But there is an opportunity to replace SMS with the cheaper variant – Push messages. Or you can offer your users to install a free one-time password generator on a smartphone.

Despite all misconceptions, two-factor authentication is a low-cost effective tool, which significantly improves safety. But, when implementing 2FA on your website, think about your customers and their capabilities. 2FA and tokens shouldn’t seem a heavy burden for them. The use of effective two-factor authentication method will serve as a reliable barrier from hacking, and won’t make the life of your customers more difficult.