Growth & Marketing
October 25, 2020
March 31, 2021
Growth & Marketing
October 25, 2020
March 31, 2021
Multi-factor verification systems are meant to be a second layer of security to complement passwords. In a context where most platforms use the combination of email and password as the main identification system, additional security methods need to be implemented in order to tackle identity-based attacks.
Passwords have proven to be ineffective in terms of security, both because of poor choices by the user and because of the vulnerability of password databases at companies. Hence, the use of additional layers of security, such as one-time passwords, cross-device authentication or magic links, is highly advisable.
Multi-factor verification processes have many applications in the real world. It can be used to tackle different issues, at different stages of the user experience and be implemented with different methods. Today, we explore all of these with real-life examples, extracted from companies that take their security very seriously.
The Google Authenticator service is widely used among many companies. You’ve probably seen it before — when trying to log in a platform from a new device, you are presented with the following screen:
This prompts you to go to your mobile device and tap the pop-up screen in order to access the platform. Sometimes, you will be asked to tap the code that appears in the first device, so when they match you will be given permission to enter.
The second step of verification takes place based on user location, login frequency, and login device. When one of these rules fails or when an unusual patron is recognized, users will be prompted to verify their identity.
What the user knows, what the user has, where or when the user is. Many different verification factors are implied — passwords, codes, access to a phone device, and location are some of them.
Adding a second layer of security always implies a certain level of friction. In this case it is well tackled, since tapping a button with a code is easier than entering the code.
High. A complementary verification system ensures that passwords don’t get stolen.
Twitch is a content platform where users can broadcast their own content. While its registration process doesn’t require verification and it relies on the combo of email and password, multi-factor authentication enters the scene when the user wants to start broadcasting.
This use of a multi-factor authentication system smartly ensures a smooth registration process, which is key to obtain good signup rates and it doesn’t negatively affect the user experience. Still, security is ensured — in the event of an account takeover, the hacker wouldn’t be able to execute any harmful actions or access information.
In this case, the second factor of authentication is the verification of the phone number. Users need to enter their phone number, and receive a one-time code that verifies their identity.
Multi-factor authentication is executed right before the main action can be carried out. If a user account got hacked, only inconsequential actions could be done.
What the user knows, what the user has. This security system includes the combination of email and password, plus the code received by the user.
The second step of this multi-factor auth system only takes place when the user wants to broadcast, so the user experience is not interrupted in the registration process, neither during watching other users broadcast.
High. In the unlikely event of an account being hacked, no malicious activity can be executed. It’s (nearly) impossible to access the users’ data or impersonate a user.
Tinder is a dating app where users can display their profile to match other users, start conversions and potentially date. Accessing an account without the permission of the users has some obvious drawbacks.
The registration process requires phone verification — a one-time code is sent to the user’s mobile phone when the user signs up for the first time. Passwords are not required in order to create an account or log in. But, apart from the phone verification process, other MFA systems are carried out as well.
When a user stops using Tinder and attempts to log in after a while, two verification processes take place. First, the user receives a code in their mobile phone. After this one is verified, the user also needs to verify their email address with a different one-time code.
Multi-factor verification is present in two different stages of the user experience. On the one hand, users need to verify their email address and phone number when they sign up. On the other hand, users also need to verify their account once more if they start using the app after a while.
What the user has, where or when the user is. Several verification systems are implemented here — the main verification system being phone verification via OTP, plus email verification when location or login frequency are suspicious.
Having so many verification layers can be frustrating for some users. The lapse of time that triggers the MFA is not clear, but we’re sure Tinder has its own data-driven rules for triggering this security measure.
Very high. While other MFA systems can be vulnerable if the user’s phone gets hacked too, this method includes two different methods for verification — email and phone. The possibilities just get lower and lower. Plus, getting rid of passwords is always a good idea to us.
Banking and finance are the sectors where multi-factor verification is used the most. When big sums of money are compromised, the more verification methods the merrier. We’ll illustrate this use case with Paypal, but most online banks or payment platforms have similar flows.
Paypal is a wide-known platform for online payments. It can be used to transfer money online or execute payments in an easy and secure way. Paypal identification system relies on the combination of email address and password, but the user needs to comply with several multi-factor authentication systems to start using their account. When creating an account, phone verification is the first step of the signup process. Later on, the user also needs to verify their email address.
Besides this, users can set up different security settings in their account settings, including 2-step verification, security questions, and more.
This is the flow used for signing in to Paypal, but other verification methods are used when suspicious activity is detected. For example, when two payments are executed with Paypal in a lapse of time of less than 30 minutes, verification via phone number is triggered.
Paypal’s registration flow includes several types of verification factors — phone verification, password setting, and email verification.
Besides this, different verification steps are triggered when suspicious logins take place. Normally, this verification step is a one-time password sent to the user’s phone.
What the user knows, what the user has, what the user is, where or when the user is. Paypal combines passwords, one-time codes, passport verification, photo verification, and additional systems based on location and frequency of the login attempt.
User experience is taken care of. Most of the security methods are optional and don’t interfere with the registration process. Plus, auto login options are available for faster shopping.
Very high. Several verification processes are implemented here, which ensures a top security level for users that doesn’t feel heavy on the user side. Plus, we’re sure Paypal has tons of verification processes behind the scenes that don’t interfere with the user experience and ensure a top security level.
Multi-factor authentication systems have become old acquaintances for most of us. It is easy to run into one-time passwords on a daily basis. What most people don’t realize is in which stages of the user experience these MFA methods are triggered.
If you want to implement MFA in your flows as well, we recommend you to explore the needs and issues of your user registration systems and which actions can cause a security breach. Identifying them will help you know what is the best use case of a multi-factor verification system for your users and your business.
Check Arengu out and easily implement different multi-factor verification processes in your preferred stage of the user journey. Personalize the flow to your needs without coding and start enhancing the security of your identity verification flows.
© 2022 Arengu. All rights reserved.
Backed by Y Combinator
