Best practices for user verification with the rise of remote work, online learning, and video conferencing
Time to read: 5 minutes
The emergence of the coronavirus, similar to other unexpected crises, is a valuable reminder of the necessity for adaptable systems, technologies, and tools. With business continuity plans, much of what people are accustomed to doing in-person is making a rapid transition to occurring online. But in the midst of this mass migration to remote work, live-streaming activities, and virtual classrooms, it’s vital not to forget about account security.
Here are some common use-cases for user verification and best practices on how to secure virtual interactions:
- Telehealth: While hospitals and healthcare services are stretched to capacity, providers are now caring for patients remotely. HIPAA-compliant video-conferencing tools enable doctors to consult patients digitally by phone or laptop. You'd expect security in this sector to be completely buttoned up, but healthcare is one of the hardest-hit industries for privacy issues, fraud, and data breaches.
One practice we recommend is adding user verification to your web application via a simple application program interface (API). In fact, email addresses verification requests can be completed with an auto-generated token and a single API.
- Family entertainment: With health concerns keeping families at home, adults and children alike are turning to video streaming platforms, such as Netflix and Disney+ for home entertainment.. Beyond movies and television, homebound viewers are also watching virtual tours of vacation destinations, museums, and zoos, and live cooking classes and musical performances. These digital experiences are often free but require the creation of an online account, protected by nothing more than a username and password, which has proven to be prone to abuse.
A universal best practice, which takes just a few lines of code to enable, is to add a second factor to the authentication process to ensure your applications are accepting logins from the right person.
- Online learning: Many colleges and universities, especially those that offer adult education classes, have long been experimenting with online and distance learning. But teachers of preschool, elementary, and high-school — as well as parents of students — had mere days to learn the ropes. In essence, this is online education's moment to shine. After being introduced to new online collaboration tools, more and more schools may be inclined to opt for blended educational experiences that mix in-person lectures with online classes. But, as uninvited digital trolls hijack Zoom video calls to post hate speech, offensive memes, and pornographic images — known as ZoomBombing — educators need stronger online security in their digital classroom. While SMS-based 2FA is probably not applicable to younger students who don't have phones. Parents of school students — as well as adult students — can prove their identity to you by entering a time-based one time password generated from within an authentication app on their access device.
Our recommendation? Building and managing authentication is more secure when you start with a vetted and well-maintained API.
- Working from home: Digital companies — especially those who already embraced a work-from-home or bring-your-own-device (BYOD) protocol — may be the most prepared to navigate the landscape of group video meetings, private video calls, video-collaboration tools, and cloud-based file sharing. But stay-at-home orders are forcing nearly every employer to adopt remote work and flexible schedules. This is proving difficult for enterprise companies who may rely on complex, legacy technologies and out-of-date applications designed for specific needs. Old tech probably uses old security methods, which may be out of favor with the growing millennial workforce. Even collaboration apps that are now common in the workplace — think Slack, Google Docs, Microsoft Team, and Zoom — are often shunned for hipper, but lesser-known (and often less secure) tools. With employees working remotely, companies everywhere are more susceptible to enormous risk, especially if administrative controls and mandatory authentication are not implemented. You’ll want to ensure your employees can authenticate even in the event that someone loses, damages, or upgrades their phone.
Multiple device security enables the same 2FA accounts to sync across laptop, desktop, and mobile devices. Here’s a post you can share with your staff to help them set up multi-device protection using the free Authy authentication app.
- Hiring and Recruitment: At the time of this writing, the United States has seen over seven million newly unemployed workers. Worldwide, the numbers are even more staggering as stay-at-home orders affect tourism, manufacturing, and just about every industry you can imagine. Out of caution, some companies, including digital leaders like Amazon, Facebook, Google, and LinkedIn, are giving job candidates the option to conduct interviews virtually by video conference or delay them until an unspecified date in the future.
Prospective employers should consider using pre-built online candidate verification solutions, or use information from tools like Lookup to help ascertain their candidates’ identities.
- Fitness: As local gym, yoga, and dance studios are shuttered, home-bound patrons are turning to live online video classes to stay healthy and engaged. Sessions are typically arranged by sending members a video-conference URL via email. But what if a member shares that link with other non-members, who can now attend the class without paying?
As a best practice, instructors can verify all participants as legitimate by sending a one-time password (OTP) to the member’s registered phone numbers during the log-in process.
- Banking: Visiting a bank lobby or touching a grimy ATM keypad is not a recommended activity right now. Luckily, banks, money transfer companies, and payment apps have had a significant head-start experimenting with online access for users. But at a time when online transactions are super hot targets for fraudulent activity, digital account security in financial services leaves a lot to be desired with SMS account verification still the global default for financial institutions. Why? Because SMS is relatively easy to implement, simple to deliver, has phenomenal reach, and requires very little end-user education. Unfortunately, account authentication via text message is one of the weakest links in the security chain (offering only slightly more protection than knowledge-based questions).
To better protect logins and transactions, add push authentication, which prompts your users to verify an action, like a money transfer or a purchase. Your users can then deny unauthorized requests in real-time.Unlike SMS, push authentication is digitally signed and fully encrypted.
Social distancing activities, remote working, and distance learning have created the perfect storm for cyber criminality. Hackers prey on sites and services with weak — or worse, negligible — authentication protocols. Undoubtedly, they'll continue to abuse and weaken systems already in place while losing no time exploiting new methods immediately upon launch.
As more people begin to use video collaboration tools maintaining trust between users and platforms grows even more important. Yet it’s all too easy for companies, institutions, and app designers to overlook security considerations in a scramble to replace physical interactions with virtual ones. Adding user verification and authentication is a simple way to prevent phony transactions, account takeovers, and malicious activity.
Want to learn how to secure virtual interactions on any application where a user has to open an account to participate, transact, or engage. Download our ebook, Strengthen Security & Reduce Risk with Phone Verification.
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.