Improve Conversions with Multichannel 2FA
- 22 Dec 2020
Security is critical for all businesses. Strong authentication tools are the first line of defense against hackers and other bad actors.
Generally, passwords serve as the first authentication factor today. Every computer user is familiar with how passwords work. Security best practices call for long passwords, and if a string of letters and numbers is too long or complex to remember, users can employ a password management application to remember passwords for them. But passwords can be hacked, copied, or stolen, so passwords alone don’t provide adequate security — thus the need for a second factor.
Two-factor authentication choices — pros and cons
Many businesses use two-factor authentication (2FA) to secure access to enterprise resources and data. Organizations have many options for the second factor — biometrics, a hardware or software token, or a message sent over a separate communication channel from the one people log in on. Each has pros and cons.
Biometric authentication offers high security. Credentials are impossible to transfer to unauthorized individuals and difficult to spoof. But biometrics relies on special hardware, such as a fingerprint reader, which adds to the cost, and may deliver a false positive result, thus providing authorization wrongly.
Hardware tokens are difficult to spoof or tamper with and don’t require users to be connected to any network. However, they’re an extra item that organizations have to pay for and that users have to carry around and sometimes lose. Battery-operated tokens that work by generating a PIN code have limited lifetimes.
Software tokens that generate PIN codes can be a good alternative to hardware tokens. Users can generate them through applications on mobile devices, even if they’re not connected to a network. But users must download one of the token-generating apps that provide the numeric codes they exchange, and have to be trained on how to use them. And, like any software, apps can be hacked. Worse, if the mobile device is lost, the authentication credentials may be difficult or impossible to recover.
SMS messages may be the simplest and best choice for 2FA. For 2FA to work effectively, any authentication factor has to be easily accessible to users who need to authenticate. Just about everyone has a mobile device nowadays, and SMS comes native on all mobile devices — no additional app install required. And everyone knows how to read and reply to text messages, so no training is required. On the downside, it costs organizations money to send SMS messages, and in some cases it costs users to receive them. The technology relies on users being connected to a network. And SIM swapping attacks can attempt to compromise authentication.
The importance of a fallback authentication channel
Regardless of which approach an organization takes, it’s critical that the authentication method be reliable. You can’t improve security if your security enhancement keeps people from accessing the resources they need. That means your second factor needs a Plan B that’s just as secure as the original.
That’s a tall order for biometric and token-based authentication. If face recognition fails to authorize you or you lose your token, what’s your alternative authentication method? You may have to fall back on an emergency passcode — and that nullifies the advantage of a second authentication method, because passcodes are no more secure than passwords.
In this respect, SMS has an advantage over biometrics and tokens.
Though SMS is very reliable, it can be subject to delayed or dropped delivery, thanks to snags such as high network loads, unreliable carriers in some countries, and a host of other issues.
But when SMS authentication fails, organizations can easily implement a fallback channel for authentication — voice messages. Voice has the same advantages of ubiquity and intuitive use that SMS offers. Because voice calls sync immediately versus being stored or forwarded like SMS, voice calls are prioritized on the carrier network, and as a result, they’re more reliable than SMS. And the combination of SMS with voice fallback is the most reliable of all.
Voice as a fallback channel from SMS for 2FA
We’ve written a post on best practices for SMS and voice-based 2FA. It talks about how to ensure that 2FA messages arrive within the 10- to 15-second window that avoids disruption in the customer experience: The communications platform has to be able to identify invalid phone numbers, discover the fastest routes for optimal message delivery, and support high throughput for delivering high volumes of messages and in a timely manner.
Any company that intends to verify or authenticate users via SMS or voice calls needs superior reliability globally to ensure a seamless customer experience. Your SMS and voice API provider needs to offer a high-quality carrier network to guarantee high delivery rates across the globe.
Plivo customer Bigo, a Singapore-based provider of video-based products and services, uses SMS and voice to verify signups. It used PHLO, Plivo’s visual development tool, to quickly build a workflow that issues a one-time password (OTP) via SMS and then defaults to voice verification to improve conversions. Using PHLO makes building workflows simple; you can start with an existing template and easily adapt your verification and authentication requirements via drag-and-drop modules.
Reliability and security second to none
Plivo is all about reliability. Our platform supports more than a billion transactions every month while maintaining 99.99% API uptime. Our infrastructure is globally distributed and uses a network of eight data centers around the world to power global communications.
And when it comes to security, we eat our own dog food. Plivo’s CPaaS platform itself uses multifactor authentication, among other security features, to keep customer access and data secure.