Implementing 2FA the right way and more
Do you use the same password for multiple online services? I know I did. I also used to have a list of about five passwords with various complexity, which were used depending on the service. Then, I changed my behavior.
Using the same password (or pool of passwords) is definitely not secure. If your password and username, which is usually your email address, leaks from one web service, all other service using the same combination are immediately compromised.
Am I at risk of a breached account?
It’s likely. Check this database to find out if your accounts from known hacks, like LinkedIn, Adobe, DropBox, and many, many more services, have been comprised. If you find your email or username in this list, you must change the passwords for each service with the correlating username.
Next, enable Two-Factor Authentication for all of the services that support 2FA. Typically, this is done by verifying your phone number with an SMS, and the next time your username/password is used in a new environment, you will be sent a PIN code to verify your login. This makes hackers unable to log in when they get your password.
I have security questions enabled, is my account secure?
The short answer is, no. By default, two-factor authentication requires a separate device when logging in. Security questions are insecure, and easy to guess through a simple Google search.
Common practices when building a service
The average Joe does not need to know about the dark places on the internet. It is the duty of service providers to protect their users. (quote me)
When building a Service, you must pay attention to registration flow, login process, and password recovery. There’s a separate focus for each step, which I will further explain.
I’ll forgo the the basics, like storing hashed passwords, rather than logging plaintext passwords anywhere. Rather, I’ll discuss the user experience of the registration process in the context of 2FA. While your registration flow may vary, the info will apply to most.
Password strength indicator
Don’t underestimate the password just yet. Most people do not enable 2FA, so a good and secure password is still a must. You might be tempted to set a requirement for a lengthy password in the registration process, but note that this may frustrate users in the most sensitive part of customer acquisition.
Suggest enabling 2FA
Again, as with a lengthy, complex password, I suggest not to require 2FA setup in the registration process itself, but rather explain the need for this and suggest enabling it. Always note that the user can still do this later as well.
Example Registration Flow:
Step 1: Regular account creation dialog.
Step 2: Suggest enabling 2FA right away, with more focus on enabling than skipping.
After logging in with username and password, direct the user to the 2FA page. Depending on the 2FA setup, the user may have more than one verification method available: SMS-based PIN code, TOTP calculated from an app, encryption key, etc.
Always support SMS failover
There are many options for 2FA, but SMS-based PIN codes are still the most common and should always be supported. There are several scenarios where users do not have access to a data connection, and the app is no longer supported.
Support 2FA via Authentication App
There are two basic methods to enable support for app-based authentication:
- Generating QR codes and asking users to download the app, then scan the QR code.
- Users download an app that is deeply integrated with the service.
My preferred method is using an application, like Verigator, that is integrated to the online service, providing SMS as backup, and is a more convenient login than push notifications. Everything works like magic and this method eliminates the need to scan QR codes.
Regularly check the 2FA status
For users that have not enabled 2FA, suggest that they turn it on about once a month. If 2FA is enabled, remind users to validate their phone number regularly. Users who indicate that their phone number has changed, SMS-based PIN codes cease to be delivered, but the app-based 2FA will continue to work, if supported by the service.
It’s tricky and often overlooked. Always ask users to authenticate via 2FA when they indicate they’d like to restore their passwords (usually through a unique link sent to an email address.) If you don’t the user (or hacker) is able to login after restoring the password, skipping 2FA completely.
Secure your two-factor authentication login process
Even top-notch players like Google, Facebook, and LinkedIn have had bugs that allow bypassing 2FA in their login process. It seems like avoiding voice calls for 2FA is a good thing to do as well. SMS is vulnerable as well, therefore using an app that supports TOTP is one of the most secure options for 2FA at this point.Example Login Flow:
Step 1: Regular login with username/password.
Step 2a: use app-based login when user has it set up with fallback option to SMS.
Step 2b: If SMS is used, suggest downloading the app, with links to the Apple App Store and Google Play Store.
Setting up 2FA for your service may not be as simple as it seems. If implemented incorrectly, you create a potential security threat, rather than making a more secure login.