In the last two years, two-factor authentication downloads have seen a whopping 320% increase, according to the developer service npm. Consumer demand for 2FA is skyrocketing, but a quick look at twofactorauth.org shows that only half of the 1,000 most popular websites have implemented 2FA.
What is the reasoning behind the slow adoption of 2FA? The fault lies on two ends: consumers are typically not aware of 2FA, or at least only realize they should be using it after their account has been breached, and websites are failing to provide a seamless 2FA user experience and encouragement to opt-in.
Another reason 2FA adoption by consumers has been delayed is the 30-year-old clunky method of getting a code via SMS/authenticator app and having to retype it during login. This less than ideal experience has been met with resistance from users, and therefore applications tend not to make it enabled by default. Yet consumers are asking for better account security, so now is the time for the implementation of 2FA to shift from reactive to proactive.
For consumers looking for an easier-to-use login experience, there is a solution: push authentication. This approach is a vast improvement over sending a one-time passcode via SMS and is truly the most secure method of 2FA. Organizations like money transfer service Transferwise have implemented push authentication to protect cross-border money transfers, while digital currency exchange Gemini has implemented push authentication to protect high-value cryptocurrency wallets.
These are just two examples of how push authentication is gaining traction in online finance and cryptocurrency companies, due to the high risk involved and the need for fast and secure transactions. Of course, organizations like Yahoo, Google, Microsoft, and most recently Salesforce, have implemented push authentication, and it’s time other organizations and consumers get on board with ushering in this new era of secure online identity.
First and foremost, the experience for push authentication is very simple. When logging in, a notification is sent to the trusted devices (either mobile or desktop) associated with the user account. Responding to this notification, the user is presented with a simple “accept” or “deny” message to allow or prevent the login. Accompanying this action is information about where the request is coming from, such as the location, browser type or device type. This information provides quick confidence in allowing a request, or useful data when deciding to deny a request unfamiliar to the legitimate user.
Push authentication also leverages the latest in security techniques, unlike SMS where by default the message is unencrypted. Instead, push authentication implements end-to-end encrypted communications between the application and a secured authentication service.
It’s clear that increased adoption of push authentication would improve the user experience and therefore incline developers to make 2FA mandatory, not just optional. This would ultimately make strong security a standard for all online accounts. Push authentication also goes beyond the standard use of 2FA. Consider the example of Gemini, which uses push authentication to protect the withdrawal of cryptocurrency. And tech giants like Google and Yahoo have implemented passwordless logins, where a response to a request on a trusted device is all that’s needed at login time.
For more knowledge on this topic, tune in to our upcoming webcast, 12 Ways to Defeat Two-Factor Authentication.
Push authentication isn’t going to revolutionize security on its own; developers need to take matters in their own hands by first educating users about this easy 2FA and potentially password-free authentication method. While push authentication may be the best way to implement 2FA, if users don’t understanding account security it will be harder to introduce them to new features.
There are a few other steps to consider if you want to “push” push authentication:
It’s clear push authentication is the way forward, as shown by Google, Microsoft and others. Consumers today are more aware of security than ever before, so instead of waiting for push authentication to be ubiquitous, you can significantly increase consumer trust in your business by leading the way.
You have two main choices for how to add this type of authentication to your application. Either allow users to login with a Google or Yahoo account (and hope the user themselves have switched on this type of authentication). With these options in mind, companies and their respective developers can ensure that push authentication becomes the preferred method of authentication.
This is a contributed article by Twilio's Director of Product Simon Thorpe.
For more on topics like this be sure to attend our upcoming InfoSec World Conference & Expo in Orlando, Florida. Click here for more information!