What You Need To Know About Two Factor Authentication


It’s a procedure that dates back to the dawn of civilization. Secret organizations use it to weed out imposters. Kids use it when playing spy-themed games at the playground. And grocery stores use it before letting you bring home the milk and eggs. Two-factor authentication (2FA) is as effective as it is simple. Here’s what mobile app developers need to know about it.

What Is Two-Factor Authentication?

2FA is just what its name implies – a form of identity confirmation that requires two pieces of information. The first factor is something the person has such as a credit card number, a mobile phone, or a username and password. The second factor is something the person knows, which might be a PIN number, zip code, birth date, or the name of a person or pet. In the app realm, if you are logging into a familiar account (like Google, Facebook or Twitter) from a device that the site does not recognize, it will ask for answers to security questions or send an SMS with a unique PIN to your phone number.

Who Uses Two-Factor Authentication?

Everyone and their grandma. Well, maybe not, but most people run into some form of 2FA almost every day. For example, most banks require customers to provide additional information such as answers to a set of security questions to access their online accounts. Other places that use 2FA include:

  • Most retail stores
    Financial institutions
    Gas stations
    A growing number of websites and apps, especially social sites

Why Use Two-Factor Authentication?

While a username and password might seem secure enough, they can be easily exploited by hackers, spyware, and keylogging programs. This is especially true for mobile users who provide personal information to third-party apps every day over unsecured public networks. The last thing app developers want is for their customers’ sensitive data to fall into the wrong hands.

In the realm of app security, it’s easy to tell where a phone is being used and what network it’s on, but impossible to determine whose thumbs are tapping away at the screen. Lost phones are about as rare as pigeons in New York City. 2FA ensures that if a thief has a user’s phone, he must also know personal information about the user before doing damage. While much of this burden of protection depends on what customers store in their phones, app developers must do their part to reduce this risk.

How Effective Is Two-Factor Authentication?

It’s by no means foolproof, but 2FA adds a layer of security that makes it much harder for thieves to go about their business. It adds a simple step to the login process, and if done right, costs very little for app developers to implement. However, like cereal, 2FA comes in many varieties.

2FA traditionally comes in the form of physical authentication tokens. These gadgets produce single-use passwords after the user logs in with valid credentials. Sounds cool, but these keyfobs can cost well over $100 and many companies get headaches with distributing, tracking, and replacing them. Customers aren’t too thrilled with them, either.

Jim Fenton, CSO of password management firm OneID, stated that while 2FA makes hackers’ jobs more difficult, savvy hackers can also use it to their advantage.

Should App Developers Use Two-Factor Authentication?

A better question is “how should app developers use 2FA?” Nobody wants to buy a clunky device that can easily break or be stolen. And most developers don’t have a vault of cash to spend on app security.

Requiring PIN numbers or answers to security questions are better options. Still better is fingerprint verification recently introduced into the mobile sphere. The technology is young, but it has potential. Generally, the more advanced a technology, the more it costs to adopt. But it’s certainly much harder for a hacker to steal a thumb than a PIN.

Edgar L