Up Your Site Security With 2FA

It’s a measure of how rapidly the internet has developed that two-factor authentication is increasingly becoming the norm rather than the exception for any site more sensitive than an internet chat forum.
Commonly referred to as 2FA, two-factor authentication often combines something you know with something you have. Just like a PIN code and a debit card at the ATM, either one is useless without the other. Biometric tech like fingerprint recognition software or retinal scanning may represent a third dimension of utilizing something you are; it could be argued that the eyeball scanners at airports constitute a form of 2FA in tandem with the ubiquitous passport. It may not be long before fingerprint recognition is needed to access your bank account, or social media logins request a retinal scan from your webcam.
The importance of two-factor authentication can be summed up in one word: fraud.
Creating a second layer of protection for a website exponentially increases the challenge for third parties who may be attempting to gain access for fraudulent reasons. A single-factor website login could be compromised in a number of ways including screen mirroring, keystroke logging or the theft of passwords shared across a number of websites. However, these could be prevented by a 2FA system where only certain characters are entered at the second stage. Hacking into an account in these circumstances may not be impossible, but the additional challenges should deter the vast majority of opportunist cyber-criminals.
The widespread rollout of 2FA has been spearheaded by financial services companies. Account holders now typically enter a username, followed by additional information on a secondary webpage such as their date of birth or mother’s maiden name. Another common example of 2FA is where the second stage of authentication is delivered on a separate device, such as a desktop computer’s online banking portal that can only be accessed with a one-off alphanumeric code texted to that user’s mobile phone. These unique identifiers are known as dynamically generated passcodes; they only work once, and usually have a very limited lifespan. First Direct’s passcodes expire within one minute of their arrival, after which they are useless to anyone who finds them or tries to access an account with them.
Where banks and building societies lead, other websites inevitably follow. Google and Apple have already made 2FA available to their users, and social media sites including Snapchat and Twitter can also be configured in this way. Even cloud storage providers like Dropbox have adopted 2FA, while Microsoft, PayPal and LinkedIn dispatch text message codes when users attempt to log in from an unrecognised device. A full list of organisations providing this extra security – and details of those who don’t – can be viewed at http://twofactorauth.org.
From the perspective of a website manager, 2FA is becoming essential for retaining the trust of clients. Any retail or financial website should utilise it, as should platforms requesting personal information that could be harmful in the wrong hands. Companies like YubiKey and Symantec provide 2FA solutions that can be installed into everything from networks to individual sites, protecting website providers and clients alike. Websites constructed using WordPress can be installed with plugins like Authy or Two Factor Auth, which generate one-time passwords on behalf of individual users. With a number of programs and plugins now capable of providing 2FA on pretty much any website, there’s no excuse for webmasters and IT managers not to adopt this extra layer of security on sensitive public-facing sites.