The topic of Single Sign-On (SSO) has come up recently with…
A recent study by Microsoft found that multi-factor authentication alone stops 99.9% of automated attacks. Credential stuffing and phishing attacks are prevented by requiring more than a simple password to access an account. In today’s market, companies must continuously improve their customer experience to stay relevant while safeguarding their customer’s data. So it’s no surprise that 57% of companies globally have instituted multi factor authentication (MFA) within their organizations for both employees and customers. While MFA can be cumbersome for users, if done right it can add additional security without hampering the user experience.
The good news is solutions exist and involve requiring additional information for log in. But just one additional requirement is often times not enough.
The best solution for securing customer accounts is to require the entry of a one-time passcode (OTP) immediately after the user has entered their username and password.. This code is typically six digits and can only be used once. The code is delivered to the user in a way that also validates something they have (a “device”) like a mobile phone, home phone, tablet or laptop/desktop computer. Ideally this will be setup upon account creation though there are some legal hoops to jump through when using a customer’s Personally Identifiable Information (PII) without first obtaining their consent. If the customers sign up for the account themselves then there is the opportunity to secure the account with OTP from its creation by asking the customer for the required information and getting their consent. This is important because while the account does not have an OTP device setup is the time where the account is most vulnerable to being hacked.
Options for Receiving a One-Time Passcode
Text Message (most widely used): The code is sent via Text message to the phone number selected by the customer. This sometimes has a per text cost associated with it. But, companies like Twilio offer the service for a fee.
Authenticator app (most secure and FREE): The code is generated every 30 seconds using a shared secret or key that is setup when the application is installed either on the customers desktop computer or more likely their phone. Authy, Google Authenticator, Microsoft Authenticator, Okta Verify are a few examples of applications that can be used. The key can either be entered manually or more conveniently a QR code can be scanned to automatically setup the application. The user also can re-use the application for other sites. They will end up with one code for each site and will need to take care to use the right code from their list of codes. Since it uses time to generate the code there can be issues if time is off between the customer’s device and the server that validates the code. There can also be issues setting this up initially due to confusion from the user so education and a good web UI/UX are key to the success of using the Authenticator apps.
Phone call: This is an automated phone call that will read the code to the user for them to enter. Twilio also offers this as a service.
Email (least secure): A code can be sent via email. However studies have shown that this method is not very secure as some user’s email accounts are not well protected with either complex passwords or a 2nd Factor One-Time Passcode.
There are other options but most involve an extra device the user needs to obtain and make more sense for Employee Login and not Customer Login.
The Right Partner
Through years of experience helping clients secure customer data using One-Time Passcodes, Zirous experts have developed the expertise to enrich client’s security strategies. We know the value of the right technology and experts on your side. We’ve seen successful businesses separate themselves by demonstrating customer care and safeguarding their customer’s security. By partnering with companies like Microsoft, AWS, and Okta we are able to apply our experience and expertise to leverage a solution that caters to your business needs. Don’t wait for a data leak or for a governing body to mandate MFA, reach out to us today!