This post is the second in our series on digital security and two-factor authentication.
It seems to have taken a security breach the size of Heartbleed to finally see more popular emphasis on digital security at the consumer level.
Thankfully, there are solutions already at hand, and the best is two-factor authentication.
Photo used under a CC license from Flickr user Tiago.
Two-factor authentication, also commonly referred to as two-step verification, requires an online account holder to present two separate passwords before being allowed to log in to their account.
The first password is the user’s primary account password. The second password is sent to a separate location—typically a mobile device—as a unique, time-sensitive security token that expires in a pre-defined period of time (e.g., 10 minutes).
This second password is known in the industry as a one-time password (OTP), and is often sent via SMS or IP to the user’s personal mobile device.
If online users had had two-step authentication on their accounts, an attacker would have needed both their primary password as well as their temporary, one-time-use password before it expired to gain access to users’ personal information.
With two-step verification in place, even if an Internet attacker has stolen a user’s online account password by exploiting a vulnerability such as the Heartbleed bug, they cannot log in without also having that one-time password, which is sent to the mobile user’s phone.
This results in:
- Reduced probability of an Internet attacker gaining access to an account, resulting in fewer security breaches
- Lower total costs of disruption
- An additional protection option that can be advertised to account holders; having this option available reduces the reputation risk following a security breach
As the Heartbleed bug demonstrated, any breach to consumer account security—especially involving a consumer’s sensitive or private data—can result in significant costs and reputation damage for the company.
In the next post in this series, we’ll discuss best practices for implementing two-factor authentication at the enterprise level. Want a more in-depth discussion? Read the full whitepaper.