Enhance the security of your mobile and web-based applications

Thursday, August 15th, 2019

Gisela VilaBack to blogs >

Did you know that the average user visits 25 password protected sites, but uses only 6 passwords? In fact, 73% of people use the same password across multiple websites, and 33% use it in every site.

Two factor authentication (2FA), also known as two-step verification, is a security process in which the user provides two different authentication factors to protect both the user's credentials and the resources the user can have access in a more effective way.

However, using two factors from the same category doesn't make it 2FA; for instance, providing a password and a security question is still considered single factor authentication, as both are part of knowledge category. 2FA adds an extra level of security to prevent unauthorized access, for example, by requiring a user to have a physical element, such as a phone, in addition to their user name and password.

Passwords demand high security protection from multiple internal threats, meaning any stored piece of paper with login credentials, old hard drives or social-engineering exploits. From a business point of view, you should also be aware of any external threat, such as hackers using brute-force cracking (trial and error method used by application programs to decode encrypted data) or dictionary attacks (method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password).

Which authentication factors should you consider?

As we have mentioned before, the 2FA uses two factors from different categories. We have listed the top authentication factors in order of adoption for computer:

1. Knowledge factor: is the common authentication factor, such as a password, a PIN or some other type of shared secret that only the user knows.

2. Possession factor: refers to something the user has, such as a smartphone or an ID card.

3. Inherence factor: involve the user's physical self, including personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader, also facial or voice recognition.

4. Location factor: restricts user authentication by the location from which an authentication attempt is being made. Location factor can also limit the number of attempts to a specific device in a particular location, based on the source IP address or some geolocation information.

5. Time factor: regulates user authentication to a specific time period in which logging on is allowed, not authorising access to the system outside that time slot.

Temovi Secure-2FA

Temovi Secure-2FA eliminates the barriers to adoption, providing a comprehensive and cost-effective cloud-based solution that is easily integrated into web sites and mobile applications (iOS and Android).

Secure-2FA provides several Application-to-Person (A2P) mechanisms to deliver a one-time-passcode (OTP):

• Flash Call: a phone call is placed with the authentication code embedded in the Caller ID sent to the user's phone. The user doesn't need to answer the call so there is no cost associated with the call (nor the cost of a text/SMS). The user just enters the last digits of the Caller ID into the application
• SMS/Text: a text message is delivered to the user with an authentication code to enter into the application
• IVR Call: a call is sent to the user's phone with an automatic voice message that includes the code. This method is typically used to enable land lines or legacy feature phones (non-smartphones) to act as authentication devices. On Android devices, the application can retrieve the code automatically without user intervention.

Temovi Secure-2FA does all the heavy lifting, using simple APIs. Your application requests Secure-2FA to deliver the authentication code via one of the methods above. Once the user enters the code, your Secure-2FA verifies it with the Temovi cloud. Temovi Secure-2FA provides verification (or failure) to your application, assuring that valid users are fully authenticated.