The definitive guide about 2FA best practices

2fa best practices

*This post was updated in May 22.

It seems to have taken a security breach like Heartbleed to finally see more popular emphasis on digital security at the consumer level. Thankfully, there are solutions already at hand.

How two-factor authentication works

Two-factor authentication, also commonly referred to as two-step verification, requires an online account holder to present two separate passwords before being allowed to log in to their account:

  • The first password is the user’s primary account password. The second password is sent to a separate location—typically a mobile device—as a unique, time-sensitive security token that expires in a pre-defined period of time (e.g., 10 minutes).
  • This second password is known in the industry as a one-time password (OTP), and is often sent via SMS or IP to the user’s personal mobile device. When two-step verification is on, then each time the user attempts to log in to their account for the first time from any device they are asked for both their primary password and their OTP.

Two-step verification benefits not just consumers, but the organisations that implement it as well. The second factor of authentication provides key security benefits such as:

  • Additional layer of protection against identity theft and password phishing
  • Additional layer of protection against keystroke loggers
  • Further thwarting of packet sniffing attempts

If online users had had two-step authentication on their accounts, an attacker would have needed both their primary password as well as their temporary, one-time-use password before it expired to gain access to users’ personal information.

2fa implementation best practices


Benefits for implementing two-factor authentication

With two-step verification in place, even if an Internet attacker has stolen a user’s online account password by exploiting a vulnerability, they cannot log in without also having that one-time password, which is sent to the mobile user’s phone. This results in:

  • Reduced probability of an Internet attacker gaining access to an account, resulting in fewer security breaches
  • Lower total costs of disruption
  • An additional protection option that can be advertised to account holders; having this option available reduces the reputation risk following a security breach

Enabling two-step verification has significant value to organisations that wish to protect their own sensitive data. One of the most common uses of two-step verification is for the protection of corporate intellectual property; in fact, millions of workers worldwide today are required to log to their corporate accounts using two-step verification.

As consumer awareness of the value of two-step verification grows, organisations will be pleased to find that there are two-step verification solutions on the market that can be deployed quickly (and at a low cost) to help prevent the potential financial and reputation damages incurred during a security breach.

2fa best practices


Discover five essential 2FA Best Practices

Here are five 2FA implementation best practices to help you implement, transition, and maintain a two-factor verification program:

  1. Look for Compliance: Choose a two-factor verification solution that is built on standards-based crypto-algorithms and authentication protocols. These standards undergo public scrutiny, helping ensure that products that meet them are more secure.
  2. Consider Your Access Points: Do your users access the system at their office desks? At home? On the go? Overseas? All of the above? Keep these access points in mind and choose a solution that can accommodate all the places users need to authenticate.
  3. Find a Champion: Like any project that requires management, implementing authentication will work best with an internal executive to champion the process. This champion will also help keep the program on track over time as momentum slows.
  4. Accommodate Partial Adoption: Technology and cultural factors may prevent you from switching all your users to two-factor verification at once. Look for solutions that accommodate this limitation and easily scale with your needs as you incorporate existing and new users.
  5. Implement a Program: Implementing something new is about more than just installing some software and walking away. For your initiative to succeed, the product must be part of a larger program, with training and resources available for everyone involved.

Ensure that end users have access to walkthroughs and resources, and encourage them to use the new technology. You’ll need to be able to answer these questions from users:

  • Will this work on my phone/carrier? What if it’s not a company-supplied device?
  • What if I forget my password or PIN?
  • What happens if I lose my device or it gets stolen?
  • What if I change phones or SIM cards?
  • How is my privacy protected?
  • Does it work internationally? What if I’m offline?

This post concludes our series on digital security and two-factor authentication. Want a more in-depth discussion? Read our full whitepaper.