Messente avatar logo

Implementing 2FA the right way and more

- 5 MIN READ - 22 May 2017

Picking Passwords

Do you use the same password for multiple online services? I know I did. I also used to have a list of about five passwords with various complexity, which were used depending on the service. Then, I changed my behavior.

Using the same password (or pool of passwords) is definitely not secure. If your password and username, which is usually your email address, leaks from one web service, all other service using the same combination are immediately compromised.

Am I at risk of a breached account?

It’s likely. Check this database to find out if your accounts from known hacks, like LinkedIn, Adobe, DropBox, and many, many more services, have been comprised. If you find your email or username in this list, you must change the passwords for each service with the correlating username.

Next, enable Two-Factor Authentication for all of the services that support 2FA. Typically, this is done by verifying your phone number with an SMS, and the next time your username/password is used in a new environment, you will be sent a PIN code to verify your login. This makes hackers unable to log in when they get your password.

I have security questions enabled, is my account secure?

The short answer is, no. By default, two-factor authentication requires a separate device when logging in. Security questions are insecure, and easy to guess through a simple Google search.

Common practices when building a service

The average Joe does not need to know about the dark places on the internet. It is the duty of service providers to protect their users. (quote me)

When building a Service, you must pay attention to registration flow, login process, and password recovery. There’s a separate focus for each step, which I will further explain.

Registration

I’ll forgo the the basics, like storing hashed passwords, rather than logging plaintext passwords anywhere. Rather, I’ll discuss the user experience of the registration process in the context of 2FA. While your registration flow may vary, the info will apply to most.

Password strength indicator

Don’t underestimate the password just yet. Most people do not enable 2FA, so a good and secure password is still a must. You might be tempted to set a requirement for a lengthy password in the registration process, but note that this may frustrate users in the most sensitive part of customer acquisition.

Suggest enabling 2FA

Again, as with a lengthy, complex password, I suggest not to require 2FA setup in the registration process itself, but rather explain the need for this and suggest enabling it. Always note that the user can still do this later as well.  

Example Registration Flow:

Step 1: Regular account creation dialog.

Example Registration Flow

Step 2:  Suggest enabling 2FA right away, with more focus on enabling than skipping.

Login

After logging in with username and password, direct the user to the 2FA page. Depending on the 2FA setup, the user may have more than one verification method available:  SMS-based PIN code, TOTP calculated from an app, encryption key, etc.

Always support SMS failover

There are many options for 2FA, but SMS-based PIN codes are still the most common and should always be supported. There are several scenarios where users do not have access to a data connection, and the app is no longer supported.

Support 2FA via Authentication App

There are two basic methods to enable support for app-based authentication:

  • Generating QR codes and asking users to download the app, then scan the QR code.
  • Users download an app that is deeply integrated with the service.

My preferred method is using an application, like Verigator, that is integrated to the online service, providing SMS as backup, and is a more convenient login than push notifications. Everything works like magic and this method eliminates the need to scan QR codes.

Regularly check the 2FA status

For users that have not enabled 2FA, suggest that they turn it on about once a month. If 2FA is enabled, remind users to validate their phone number regularly. Users who indicate that their phone number has changed, SMS-based PIN codes cease to be delivered, but the app-based 2FA will continue to work, if supported by the service.

Password recovery

It’s tricky and often overlooked. Always ask users to authenticate via 2FA when they indicate they’d like to restore their passwords (usually through a unique link sent to an email address.) If you don’t the user (or hacker) is able to login after restoring the password, skipping 2FA completely.

Secure your two-factor authentication login process

Even top-notch players like Google, Facebook, and LinkedIn have had bugs that allow bypassing 2FA in their login process. It seems like avoiding voice calls for 2FA is a good thing to do as well. SMS is vulnerable as well, therefore using an app that supports TOTP is one of the most secure options for 2FA at this point.

Example Login Flow:

Step 1: Regular login with username/password.
Step 2a: use app-based login when user has it set up with fallback option to SMS.
Step 2b: If SMS is used, suggest downloading the app, with links to the Apple App Store and Google Play Store. 

TL;DR

Setting up 2FA for your service may not be as simple as it seems. If implemented incorrectly, you create a potential security threat, rather than making a more secure login.


Jaanus Rõõmus

Jaanus Rõõmus - CTO

Jaanus is co-founder and CTO of Messente and makes sure its wheels keep spinning and Messente always has a full tank of fuel.

5 Fundamentals to selecting an A2P provider

18 Jul 2017

Making an informed and educated decision when choosing a messaging partner requires navigation in the application-to-person (A2P) ecosystem. Asking the right questions early is the basis for avoiding costly mistakes and having a strong partnership. These five fundamental features will help you build a framework for asking questions and guide a structured conversation when shopping for an A2P vendor

Joosep Merelaht

Joosep Merelaht

Yet another hack that 2FA could have prevented: 8tracks

11 Jul 2017

The irony here is uncanny.

8tracks, a social internet radio service, recently announced a data breach, losing a copy of their user database, which includes email addresses and passwords. While 8tracks ensures their users that passwords are encrypted, hashed, and salted, they still recommend that users change their passwords with their service. Their CEO also moved on to explaining that their (over) 18 million users “refrain from using the same password across multiple sites,” use a password manager, and user two-factor authentication.

Yuriy Mikitchenko

Yuriy Mikitchenko

Preventing fraud in online brokerage accounts

10 Jul 2017

Who do you trust with your money?

Unauthorized access to accounts in the online trading industry should never be taken lightly and definitely leads to malicious or criminal activity, which not only concerns personal user data, but also financial transactions and the safekeeping clients’ money.  

Raili Liiva

Raili Liiva

Start sending messages to

for € N/A

Contact us