Mobile App Development Blog

Everything You've Ever Wanted to Know About Building a Mobile App.

Ian Blair

Two-Factor Authentication (2FA): How Secure it is

Two-factor authorization. Have you heard of it? Are you using it for your mobile app? Has it been used for one of your personal accounts?

Today, hacks and security breaches are becoming more and more popular.

Anyone and everyone can be a potential target for hackers.

In fact, businesses are the target of 40% of these hacks. But only 51% of businesses actively monitor their security for their systems.

If you’ve launched a mobile app, then you have a business. So you’re company and your users are definitely a target.

It’s your responsibility to protect your information as well as your customers’ information.

These types of breaches are getting worse every year. Across the globe, there are nearly 2 billion cases of stolen information. That’s a 164% increase from 2016 to 2017.

While these numbers may sound shocking, they shouldn’t surprise you. How often do you hear about someone who had a fraudulent charge on their credit card? All of the time.

This may be something that you’re familiar with based on first-hand experience as well.

So how can you protect your customers? Two-factor authentication may be the answer.

What exactly is two-factor authentication? Simply put, it’s when you use two ways to access privileged information.

For example, think of your Google account. If you set up 2FA, whenever you log in from a new device, you’ll have to enter your password and then enter a token that they’ll text you.

Google

I want to discuss this concept in greater detail. That’s why I created this guide. I’ll tell you about the different factors used for two-factor authentication and I’ll let you know how secure it really is.

You can use this information to decide if you want to apply it to your mobile application.

Here’s what you need to know.

What factors are used?

Two-factor authentication isn’t a new concept. It’s been around for a while. With that said, it’s just starting to become more and more common when it comes to web-based platforms.

But you’ve probably been using 2FA since the day you opened up a checking account. Don’t think so?

Think about how you use an ATM machine. You have your debit card, which is one factor, and a pin number, which is the second factor.

But swiping or scanning a physical card isn’t really applicable or reasonable for our purposes with a mobile application.

So we use:

  • knowledge factors
  • possession factors
  • inherence factors

I’ll discuss these factors in greater detail so you have a better understanding of what I’m talking about.

Knowledge factors

Knowledge factors are pretty straightforward. You use these probably every day.

It’s something that the user knows, like a password or a secret. Any time you create a password, you’ll see a little prompt about what your password should include to make sure that it’s secure.

password

But not everyone likes including all of that information in a password. They think it’s too long to type or too hard to remember.

So lots of people just use a simple password and it’s the same password for all of their accounts.

This isn’t the best idea but it’s something that you need to keep in mind as an app owner. Here’s why.

Your system may be secure. But if one of your users gets their password hacked on someone else’s platform, they can use that password to access that person’s account on your app. That’s assuming they have the same password for both, which is very possible.

That’s where 2FA would protect the user’s information if you had it enabled for your app. You could use another factor, such as a secret. I’m sure you’ve set these up for accounts before. Some popular examples include:

  • What is your mother’s maiden name?
  • What street did you grow up on?
  • What hospital were you born in?
  • What is the name of your first pet?
  • What is the make or model of your first car?

You get the idea.

The problem with this is that some of these “secrets” may be public information. If someone really wants to steal someone’s information, it won’t be too hard to find out where they were born, their mother’s maiden name, or what street they grew up on.

But either way, it’s still two factors. Hackers may be turned off by this and just move on to someone else that’s easier to hack.

Possession factors

A possession factor is similar to what I talked about earlier with the example of an ATM card. It’s something that the user has.

One of the most common ways that companies use possession as one of the factors for 2FA is with a cell phone. When you set up an account, they’ll ask for your cell phone number.

They’ll send you a code to verify that it’s you. I’m sure you know what these messages look like, but here’s an example of one from Twitter.

twitter

The number is completely random. It’s not something that has any type of significance to the user and it’s not something that they need to remember. They’ll just simply use it to log in and move on.

There could be some flaws in this system as well that could prevent the user from accessing their own account.

For example, while it seems like everyone has their phones glued to their hands at all times, there are some cases where your phone could have been left at home, forgotten in the car, or had the battery die.

In these cases, users wouldn’t be able to access their account without their phones.

There are mobile apps out there that support this type of 2FA. One example of this is Google Authenticator.

I already discussed how Google uses two-factor authentication for your Google account, but this application lets you up 2FA for other accounts as well.

There’s definitely a market for this type of app, so you may want to consider just having two-factor authentication built directly into your app. That way your users won’t have to go to a third party for the extra security.

Another type of 2FA possession factor is a physical hardware token. An example of this is a YubiKey.

yubikey

They come in all different shapes and sizes, depending on what kind of device you’re going to use it for.

You insert your key into something like the USB port of a particular device, and then you enter your password.

This is definitely much more similar to the ATM example. However, these can get lost or stolen.

It’s also not practical for you to assume that the users for your mobile app have something like this. It can’t be the standard 2FA that you set up for your app.

Instead, something that you could use personally or for your business accounts.

Inherence factors

Inherence factors include biometrics. It’s not a new concept, but it’s newer for something like a mobile app.

This encompasses things such as:

  • facial recognition
  • fingerprints
  • voice recognition
  • iris scans
  • ear shape

Biometrics are starting to grow in popularity. Apple has even applied this technology as a way for users to unlock their newest smartphones.

apple

While facial recognition isn’t on every device, touch ID (fingerprints) have been used to unlock their devices for the past several years.

You’ve probably seen movies or television shows where government employees or secret agents use facial recognition software or fingerprint scanning to access secure areas of a building. Did you ever think that this technology would land in the palms of your hands?

The problem with biometrics is that you can’t fix it once it’s been breached.

For example, if someone has access to a user’s fingerprints and they are using it to hack their accounts, the user can’t just create a new fingerprint like they can with a password.

How secure?

Two-factor authentication definitely makes things more secure.

Instead of hackers having to find one piece of information about a user, their workload just doubled.

With that said, nothing is perfect. Accounts can still get breached if you have two-factor authentication enabled.

You’ve also got to take human error into consideration here.

You may have employees working for your app that could be careless with important information that makes your business more susceptible to a breach.

The future of two-factor authentication might move on to fingerprints and other forms of biometrics. This is definitely more secure than something like a password or a secret.

However, these are complicated and expensive forms of technology.

Your company may not have the means to apply something like this to your mobile app. It’s going to require a lot of capital and extra resources if you want to use biometrics to secure all of your users’ information.

So for now, I’d stick to the basics like knowledge factors and possession factors.

Conclusion

Two-factor authentication is important these days.

People are getting hacked more and more often.

As a mobile app developer, you’ve got to take this information into consideration when you’re trying to figure out how to secure the information of your customers.

You also want to make sure all of your company information is secure as well.

Since security is important to people, implementing two-factor authentication to your app will make them feel more comfortable about using it, depending on the nature of your app.

How secure do you think someone would feel if they didn’t need a password to access their mobile banking app? I’m willing to bet that people wouldn’t use it.

If you’re building a simple app like a children’s game or a utility such as a calculator and flashlight, it’s probably not necessary for you to use 2FA.

But it’s still important for you to stay informed and educated about the latest technology trends in your industry.

How secure is your two-factor authentication process?

Ian Blair

BuildFire Co-Founder. I'm a digital marketer by trade and an entrepreneur at heart. I'm here to help businesses go mobile and build apps more efficiently than before.