Phone-Based Two-factor Authentication Is A Better Way to Stay Secure

This week, Facebook announced that 600,000 Facebook logins are compromised every 24 hours. In another recent incident, a massive hack hit 760 companies and the IRS, allowing very private information to become public. Even old-school solutions, such as RSA’s SecureID, were hacked in the past couple of weeks.

The growing raft of online security compromises is the reason that companies like Google, Facebook and Intuit are offering their users advanced security options, including text message (SMS) and voice notifications. This form of security is commonly referred to as two-factor authentication because it requires users to demonstrate their identity in two independently secure ways.

In Google, Facebook and Intuit’s case, the two-factor authentication uses both a password and an authentication code from a text message or phone call.

Two-factor authentication with voice and SMS notifications

Here’s how it works, as a user:

  1. You sign up for an online service, and enter your cell (or home) phone number during the sign up process.
  2. Later, the first time you sign in on a new device or browser, the service either sends you a text message with a verification code or calls you and reads the code back to you.
  3. You enter the verification code on the login page and you are granted access.
  4. The service can either ask for this verification every time you log in or only every so often. Google, for example, only requires this verification every 30 days. Other companies will request verification if you make a critical update to your account, such as a password change or changing the shipping address.

Facebook has taken two-factor authentication to the next level. The social network not only enables you to require two-factor authentication for logins, but also offers the ability to require it for 3rd Party Apps (such as Spotify and Farmville).

Two-factor authentication with voice and text messages is a powerful layer of security. For a hacker to get into your account, they would need both your password AND access to your mobile device, something that they are not likely to have.

Why should you care about two-factor authentication?

Simple. Lost and stolen passwords, including passwords that IT demand changing, are responsible for $16 billion of lost productivity.

The standard model of username and password is broken. Your usersname can be easily guessed (in most cases it is simply an email) and even secure passwords aren’t always secure. Security breaches where passwords are leaked are all over the news.

Last year, Gawker recently had a terrible security breach where the cracked passwords were posted online. PC World used the data from the breach to analyze users’ password habits.

Here are two mind-blowing takeaways:

  1. Users are typically very careless with their password selection. In the Gawker case, “123456″ is the most common password, followed by “password.” Many people used their own name.
  2. Your own employees aren’t much more cautious – most of Gawker’s employees had very common words (or slight variations thereof).

Because many people use the same passwords for many sites, once an account is compromised, a hacker can unleash all kinds of havoc.

Why should you use two-factor authentication with voice and SMS?

When it comes down to it, there are two simple reasons: convenience and cost

Convenience:

There are over 4.6 billion cell phones in the world. In addition to its ubiquity, the cell phone has become one of the most personal items that we own. Ninety percent of cell phone users are within 3 feet of their device at any given time.

Meanwhile, 72% of adults now send and receive text messages. Most adults and almost all young people are comfortable with SMS – texting an average of five times a day.

With the old model of two-factor authentication, users had difficulty remembering to keep a USB plug or token with them at all times. The phone solves this problem.

Cost

The cost of two-factor authentication has historically put it out of the reach of most companies, even just to use with employees. But with Twilio voice and SMS, two-factor authentication is so simple and affordable that you can offer it to all of your customers – not just important employees. While previous methods of two-factor authentication cost around $50-$100 per user, Twilio costs 1¢ per text message and per minute of voice interaction, with no contracts, upfront fees or telecom headaches.

It couldn’t be simpler to build and deploy.

Twilio is so easy to use that a  Product Manager at Intuit used our platform to build a two-factor authentication prototype in an afternoon. It was launched to Intuit’s production site in under a month.

So what are you waiting for? All you need is access to very basic web programming skills and a Twilio account.

Tell your team about two-factor authentication with Twilio today.

Chip Hanna is the interactive account director at the Balcom Agency, a full service marketing agency based in Fort Worth, Texas.