In the last two years, two-factor authentication downloads have seen a whopping 320% increase, according to the developer service npm. Consumer demand for 2FA is skyrocketing, but a quick look at twofactorauth.org shows that only half of the 1,000 most popular websites have implemented 2FA.
What is the reasoning behind the slow adoption of 2FA? The fault lies on two ends: consumers are typically not aware of 2FA, or at least only realize they should be using it after their account has been breached, and websites are failing to provide a seamless 2FA user experience and encouragement to opt-in.
Another reason 2FA adoption by consumers has been delayed is the 30-year-old clunky method of getting a code via SMS/authenticator app and having to retype it during login. This less than ideal experience has been met with resistance from users, and therefore applications tend not to make it enabled by default. Yet consumers are asking for better account security, so now is the time for the implementation of 2FA to shift from reactive to proactive.
For consumers looking for an easier-to-use login experience, there is a solution: push authentication. This approach is a vast improvement over sending a one-time passcode via SMS and is truly the most secure method of 2FA. Organizations like money transfer service Transferwise have implemented push authentication to protect cross-border money transfers, while digital currency exchange Gemini has implemented push authentication to protect high-value cryptocurrency wallets.
These are just two examples of how push authentication is gaining traction in online finance and cryptocurrency companies, due to the high risk involved and the need for fast and secure transactions. Of course, organizations like Yahoo, Google, Microsoft, and most recently Salesforce, have implemented push authentication, and it’s time other organizations and consumers get on board with ushering in this new era of secure online identity.
Bringing push authentication to the forefront
First and foremost, the experience for push authentication is very simple. When logging in, a notification is sent to the trusted devices (either mobile or desktop) associated with the user account. Responding to this notification, the user is presented with a simple “accept” or “deny” message to allow or prevent the login. Accompanying this action is information about where the request is coming from, such as the location, browser type or device type. This information provides quick confidence in allowing a request, or useful data when deciding to deny a request unfamiliar to the legitimate user.
Push authentication also leverages the latest in security techniques, unlike SMS where by default the message is unencrypted. Instead, push authentication implements end-to-end encrypted communications between the application and a secured authentication service.
It’s clear that increased adoption of push authentication would improve the user experience and therefore incline developers to make 2FA mandatory, not just optional. This would ultimately make strong security a standard for all online accounts. Push authentication also goes beyond the standard use of 2FA. Consider the example of Gemini, which uses push authentication to protect the withdrawal of cryptocurrency. And tech giants like Google and Yahoo have implemented passwordless logins, where a response to a request on a trusted device is all that’s needed at login time.
For more knowledge on this topic, tune in to our upcoming webcast, 12 Ways to Defeat Two-Factor Authentication.
One small step towards push authentication; one giant leap for security
Push authentication isn’t going to revolutionize security on its own; developers need to take matters in their own hands by first educating users about this easy 2FA and potentially password-free authentication method. While push authentication may be the best way to implement 2FA, if users don’t understanding account security it will be harder to introduce them to new features.
There are a few other steps to consider if you want to “push” push authentication:
- Smooth enablement: The greatest hurdle to 2FA is often finding the option and switching it on. Companies need to make sure it’s easy for users to discover this feature and make enablement as simple as possible. This includes easy-to-navigate UX, email reminders to enable better security and in-application notifications.
- Enforce for high-value users: While making 2FA opt-in seems like the safest way to reduce friction for new user accounts, consider mandating it for those who accrue value. There is nothing worse than a user with hundreds of thousands of dollars with no protection because you rely on them being aware of their security options and them making the decision to secure their own account.
- Default to push, fall back to SMS: When implementing 2FA, always start with push authentication as the default. However, because it does require the installation of an application (either your own, or a dedicated authenticator) there will always be a segment of users with no smartphone or the inability to download new apps. Therefore SMS should remain a valid fallback method.
- Bring the details: When using push authentication, take full advantage of the details you can present to a user. If you are securing a monetary withdrawal, include the amount in the request. If you know the location of the user attempting to login, include that in the request. The more details you provide, the more confident the user will be of making the right decision.
- Listen to the denials: If a user responds “deny” to a push authentication, pay attention. If the user responds repeatedly, take action. It’s likely their account is under attack and you should do something proactive to protect them further.
The waiting game
It’s clear push authentication is the way forward, as shown by Google, Microsoft and others. Consumers today are more aware of security than ever before, so instead of waiting for push authentication to be ubiquitous, you can significantly increase consumer trust in your business by leading the way.
You have two main choices for how to add this type of authentication to your application. Either allow users to login with a Google or Yahoo account (and hope the user themselves have switched on this type of authentication). With these options in mind, companies and their respective developers can ensure that push authentication becomes the preferred method of authentication.
This is a contributed article by Twilio's Director of Product Simon Thorpe.
For more on topics like this be sure to attend our upcoming InfoSec World Conference & Expo in Orlando, Florida. Click here for more information!