The Evolution of 2FA: Balancing Security and Convenience to Best Serve Consumers

The Evolution of 2FA: Balancing Security and Convenience to Best Serve Consumers

We all know easy-to-guess passwords put our accounts at risk, and yet crackable combinations—password, 123456, abc123—are still the most common choices users make. 

Point being: security should be top-of-mind for anyone who shares sensitive information online, but user behavior doesn’t always reflect that. Every business has to navigate between two competing truths when building a security strategy: customers believe securing their information is critical, but sometimes don’t want to be inconvenienced in order to protect it.

Thankfully, two-factor authentication (2FA) and multi-factor authentication (MFA) can enhance security where passwords falter. Most businesses offer users 2FA to confirm their identity during account creation, log-in, or when accessing/changing sensitive information—primarily by sending one-time-passcodes via SMS.

With the account security landscape evolving and new verification options on the table, you have more options than ever before to build secure, convenient, and personalized experiences for your customers.

Key considerations for building your verification ecosystem

User experience

One of the reasons SMS 2FA is such a popular option is because most people have a mobile device and phone number that can send/receive text messages. It’s convenient, accessible, and quick—all important elements if you want to get users onboard for a security feature. 

Newer 2FA iterations, often known as “push” authentication solutions also make use of a mobile device, but somewhat differently—a mobile app that uses an API like Twilio Verify sends a push notification to the user rather than using SMS. When users receive the notification, they simply confirm the action in-app or use a timed one-time-passcode displayed on the screen. Overall, the convenience level of the experience is incredibly similar.

Push verification can also enhance user experience in a few ways: one is offering users information about the confirmation request they’re receiving (location of a log-in attempt, device type, etc), and another is integrating with a brand’s existing mobile app. Both of these can help users identify which verification attempts are genuine and which might be suspicious while building recognition and trust for your business in the process. 

Data and security

As with any solution, there are some security risks to consider when using SMS for 2FA, but it still offers users far more protection than a password alone. Push verification offers a somewhat enhanced level of security thanks to public key cryptography, which ensures codes and verifications can’t be remotely breached from an unfamiliar device. Because they’re integrated into a mobile app, they can also leverage biometric authentication to provide further security.

Another factor to consider with push authentication is data hygiene: you don’t have to rely on collecting and storing a user’s phone number to deliver verifications. Not only does this enable a simpler data management strategy, it gives users greater control over what personal information they want to share with your business.

Costs

Push authentication doesn’t rely on the telephony network, which means you don’t need to own an authorized number in order to send verifications, and users won’t face possible SMS delivery problems. In general, this can mean greater reliability and lower, more predictable costs when compared to SMS.

However, carriers are currently rolling out new systems and regulations to help make SMS delivery more secure, trusted, and predictably priced—which will help it remain a viable option for your business.