Fraud costs the global economy over $5 trillion each year. And the cost of fraud to US merchants is up 7% year over year. It is clear that now more than ever, a multi-factor authentication solution is essential when it comes to defending you and your customers against fraudulent activity.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication is a mechanism whereby a user can only access a website or application after successfully presenting two or more pieces of evidence that indicates they are who they claim to be. Typical ways of doing this include asking for:
- Knowledge – Information only the user would know. Potentially a personal question about a favorite book or similar
- Possession – Something only the user has ownership of, like a password, token, or key
- Location – Data to determine where the user is located
Hackers can often come up with ways to break into systems using only one form of authentication. Every time you add another factor, the harder it becomes for them. An excellent everyday example of multi-factor authentication is ATMs. You must provide a physical card, be in a specific location, and use the correct PIN to withdraw money. In this case, the factors used are:
- Knowledge – the user must know the valid PIN
- Possession – the user must have a specific card to access the money
- Location – the user must use an ATM to request the funds
Another excellent example of multi-factor authentication is using an SMS, voice message, or email to send a code the user can input along with a password to gain access. In this case, you’re combining:
- Knowledge – the user must know the correct password
- Possession – the user must have the right phone and SIM card, or access to an email account, to receive a one-time passcode
Setting Up Multi-Factor Authentication
If you offer customers a mobile app, web app, or website as part of your business offering, multi-factor authentication is a must. There are many ways to set up multi-factor authentication, but some popular, secure methods include:
- Email – let the user receive a verification code or password reset via email
- Voice – the user can receive a verification code via phone call
- SMS – the user can receive a text message containing the verification code or password reset link
When it comes time to decide which method(s) to use for authentication, there is a bit of analysis required on your part. You’ll want to examine your customer base. Use determinants you’ve collected from various customer profiles. Age, location, and market segments are just a few factors that could influence how your customers would prefer to authenticate their accounts. For example, 75% of millennials prefer receiving a text message versus a phone call, especially if the message is quick.
MFA Best Practices
When setting up Multi-Factor Authentication, keep the following in mind:
- Add metrics to track which methods are most popular. You can start by offering email, SMS, and Voice; then, you can remove a feature if it seems underused. Although some people would argue the best practice is to offer all options to cover the broadest range of situations and issues your users might encounter.
- Don’t make customers choose a single 2FA method.
- Offer a way for the customer to write down some backup codes in case of an emergency. While backup codes can be physically located by someone and used, offering this can help someone in a situation where they lose their phone or similar.
- Secure the system you’re using to generate SMS, voice, and email messages. Ensure your API key isn’t readily exposed to attackers (for example, by putting your API key into an app or similar).
It’s also important to note that each method has its pros and cons in functionality. Where some excel, others may fall short. And vice versa. That can be a crucial determiner in deciding to implement multiple options for a multi-factor authentication protocol.
Breaking Down Benefits and Weaknesses
- It offers a way to get a verification code without needing a phone
- You can use your computer to receive the code
- You can defend against SIM swapping with this method because you may have things configured, so you only receive emails on your computer.
- Secure against hackers trying to intercept OTPs via Voice and SMS
- Email delivery can be slower sometimes, so your customer might find themselves stuck waiting for their message
- If you don’t have your phone or computer, you can’t use this method
- You can receive the message via phone
- A helpful tool for those who are visually impaired, compared to email or SMS
- You might not be able to hear the code if you’re somewhere crowded
- It might be harder to remember the code if you can’t quickly write it down
- If you don’t have your phone, you can’t use this method
- One of the fastest one-time passcode delivery methods available
- You can refer back to the message to verify the code
- It’s one of the most popular forms of communication – Millennials and Boomers both prefer texts for business communications
- A helpful tool for those who are hearing impaired, compared to voice
- If you don’t have your phone, you can’t use this method
As you can see, each channel has it’s distinct benefits and pitfalls. This is why a multi-factor authentication strategy provides the strongest protection. While you’ll need to identify what works best for you and your customers, Mitto’s verification experts recommend that the following methods be made available at the associated customer touchpoints.
- Account creation and verification: SMS and Email
- Logins: SMS, Voice, and Email
- Transactions: SMS and Voice
- Contact updates: Email
Each form of multi-factor authentication has its pluses and minuses. You’ll want to provide customers with a choice of channels by using a solution like Mitto’s Verification tool, so they can decide the best way to protect their accounts. Let them opt-in during sign-up and offer them a way to change their configuration at any time.
By offering Multi-Factor Authentication or requiring it as part of your sign-up process, you can ensure that customer accounts are kept safe, maintaining the trustworthiness of your brand.