3 keys to reliable 2FA via SMS

September 4, 2015

light

2FA also known as Two Factor Authentication. It’s something which happens every day and yet, it’s yet something most people can’t name. It’s purpose stems from the increased online fraud where a password and username are no longer enough to protect your information – especially if you’re using the same password for every account you own. 2FA allows for better safety and security due to the fact that while you’ve still got your username and password, you will also have a special (time-sensitive) code which you will receive once only and will be available only to you. Why? because it depends on something that only you possess – your phone.

This is essentially why this is called 2 Factor. The first factor is the username and password, whilst the second factor is the code which is sent to you on your phone via SMS. Now whilst a hack may compromise your username and password, the two factor authentication code will only be sent to your phone make it practically impossible to get into an account which has 2FA enabled.

Upon entering your username and password into specific websites you will be prompted to input the code you received on your phone. This makes it far more difficult for anyone to hack your accounts and carry out any fraudulent actions as  it’s adding an extra layer of security which will won’t be available to the malicious user.

Besides proving more security for end users, if your software needs to be compliant to certain security standards you will have no choice but to implement Two Factor Authentication.

Here at Fortytwo we understand the importance of safety and find that 2FA is one of the best ways to ensure that everything keeps running smoothly, and that people’s information or data is always kept safe. This is why we don’t get tired of stressing the need of 2FA. Having said that, it is quite important to implement two factor authentication with the following in mind. Security must not come at the cost of a degraded experience for the user.

1. Speed

If someone is carrying out a transaction, or logging into a particular account then that person doesn’t want to hang around waiting for their code to arrive via text to their phone. Messages must be delivered instantly (within a few seconds at worst) so as to allow the user to continue the transaction they were performing. Leave the users waiting for too long for their SMS and you risk them getting impatient with the service and moving on to someone else.

This means that your text needs to pass through high quality channels. Cheap channels (read: dirt cheap SMS gateways) might look appealing – but their cheapness comes at a price. Typically, your SMS has to travel through a large number of 3rd party intermediaries, or use unreliable technology, leading to an increase in delivery time. Every second counts so the stronger the quality of the link – the quicker your message will arrive to it’s recipient. Fortytwo has developed excellent relationships with high quality telecoms companies to ensure that all your 2FA texts arrive reliably and quickly to their destination – your user – to ensure an excellent experience.

You can try our SMS Gateway for free – to test the delivery speed of texts you would be sending.

2. Think about the UX

Often developers might plan out the whole backend perfectly, but give little to no attention to the overall two factor authentication user experience. 2FA is going to be used by people who simply want their information and know they have to pass a small security barrier first.

To optimize the user experience keep the following in mind

Be sure to include clear, concise guidelines when setting everything up
Send the SMS in the local language so as to avoid unnecessary confusion.
Include things like a drop down menu for the person to select their country code (instead of having to remember it),
A neatly laid out code in the SMS is essential. For example 45873125 is confusing, whilst 4587-3125 is much easier to transcribe.
Run real user tests – don’t rely on your own users, QA and developers to test the experience. Find users who have never seen the system before and ensure they can get through it without any hitches. Any glitches or confusion is going to be experienced by ALL your users, so make sure the experience is smooth as possible. As a simple guideline, you need to have at least 10 users in a row who are able to complete the transaction flawlessly for you to be able to reliably call your login a good user experience.

Keep in mind who the end user is and that the more pleasant their experience, the more loyal they will be which will keep them coming back. Any frustrating glitches, misunderstandings, or confusion will lead to people considering different options.

3. Constantly work at preventing any fraud via other attempts

It’s important to pre-empt any fraudulent attempts. If a user wishes to change their mobile number ensure that they pass through an authentication process through other channels such as an e-mail address. Also, ensure that there is only one account per number so as to prevent any fraudulent multiple accounts. Learn through the bad experiences of other companies who have fallen victims to fraud.

The use of SMS for 2FA has been revolutionary and it has certainly created extra safety and security which improves a person’s user experience. So, by setting up systems to prepare for these kinds of problems, and by thinking of all the worst possible situations you will be able to avoid any problems in the future.

Tweet about this on TwitterShare on Facebook32Share on Google+0Share on LinkedIn0Email this to someone