Guides & tutorials
Guides & tutorials
Multi-factor authentication is one the most used systems to ensure security online and prevent issues such as identity theft, data theft, automated attacks, fraudulent attacks, or account takeovers, among many others.
Simply by combining at least two authentication methods of different kinds, you can be sure your forms are armor-plated against many different types of malicious actions.
Still today, most online sites rely on the combination of email and password to authenticate their users. This vulnerable and improvable method reaches new levels of security when MFA enters the scene. Today, we will cover the MFA methods you can choose to implement in your business flows and in which stages you should implement it in order to protect your users from friction as well.
First things first — what is multi-factor authentication? Multi-factor authentication (also known as MFA) is an authentication approach that combines at least two different kinds of authentication systems in order to verify users with different methods or devices and hence prove the identity of the person behind the login or sign up attempt.
Depending on the nature of the verification system, different types can be drawn:
The combination of identity verification methods of different kinds ensures that the identification process doesn’t get breached.
Any authentication method you can think of can be a part of a MFA system. Here, we will explain some of the most popular authentication methods used in MFA, and that you can easily implement in your Arengu flows without coding.
One-time passwords (OTPs) are unique codes, from 4 to 10 characters long, that are sent to the user in order to verify their identity. Generally speaking, one-time passwords or one-time codes are sent to the user’s phone number with an SMS containing a text string. Still, these can be sent through different means, like an email, a WhatsApp or Telegram message, or a voice call. OTPs can be sent as a text string, but also as a voice string (in an audio message or a voice call), which makes it a suitable option for the visually impaired.
As its own name suggests, one-time passwords or one-time codes can only be used once, which adds a certain degree of security. Since only the user and the server can know this code, OTPs are a secure verification system to identify the user’s phone number, email address or directly grant access to a certain platform.
Among one-time passwords, two different types are distinguished — hash-based OTPs (HOTPs) and time-based OTPs (TOTPs). In the first type, the code comes from a counter, which is activated with every petition to generate a one-time code. This means this code is valid until the same user requests an additional code. In the second type, the validity of the OTP is determined by time. The code is generated with a determined duration in seconds, and once this is surpassed the code will no longer be valid. In general terms, it is advisable to set a determined duration for the OTP, so it is more difficult for external users to access it. Experts agree a duration between 30 and 180 seconds is optimal, but you can customize this duration according to your business and users needs.
Magic links are authenticating URLs containing auth tokens that verify and authorize the user once they click on the URL. Magic links can be sent through different means, such as email (the most popular option), SMS or even a message in a messaging app, like Telegram or WhatsApp too.
The benefits of magic links are many and of different nature. They reduce friction in signup and login forms, since authentication is granted with one click on the URL. Plus, it is way more secure than passwords, and it also implies email or phone verification.
An Arengu form is fully customizable in form and logic, that is why you can add different types of verification to your MFA even if you don’t find native actions among the suite of actions. With an HTTP request you can call any API and link external services or third-party tools, allowing you to use your preferred identity providers, or verification systems such as biometric authentication or know-your-client practices.
As multi-factor authentication implies additional layers of verification, it necessarily adds more friction to the flow. In order to reduce friction and keep your registration and payment forms smooth and user friendly, MFA can be applied only when it is necessary.
Tackling the vulnerabilities of your flow or safeguarding the most compromising actions can help you protect your users and business and still maintain a great UX. Let’s see how!
Adaptive forms are a type of form that vary their behavior based on certain rules. The image below represents a form that adapts its behavior based on a risk detected at the very first stage — that is, a risk-based form. The risk can be determined by yourself and include your own rules, so it is fully customizable in the server-side logic as well. For instance, you can apply risk rules based on the email characteristics, IP scoring, location, login frequency, and so on and so forth.
A risk-based approach allows you to add friction only when a real risk for your users or business is detected. This ensures a good user experience overall and a top-notch security that works when it is most needed.
👉 Learn in depth how adaptive MFA and risk-based flows work ↗️
Another way to implement MFA smartly without hurting UX is to protect certain actions by default. This is an intermediate point that doesn’t trigger MFA at all times, nor uses adaptive flows based on risk.
If your business features sensitive actions, you can apply MFA only at this point. This doesn’t mean that a risk is detected, but that you are adding a shield to this action because it can compromise the user’s security.
A good and frequent example of this is a bank transaction. Even if you have correctly logged in, when you want to execute a money transfer, an additional authentication factor is requested. This doesn’t necessarily mean that a risk is detected —like purchasing items in different countries, executing money transfers frequently or accessing from a poor-quality IP address. The multi-factor authentication method is placed here in order to protect every money transfer, because it is a compromised action.
As you can see, multi-factor authentication can be applied with different systems, through different means and according to dynamic logic. In Arengu, we believe that is the way it should be implemented, so users can benefit from great user experience and still be sure their security is guaranteed at high levels. Try Arengu for free and start implementing MFA smartly, based on your own business rules and streamline the user experience in this regard. Plus, Arengu works with an embed system and without regard to the tech stack you use, which eases the way you launch your acquisition channels, but also to modify them or iterate them.
To start implementing MFA with Arengu, take a look at the MFA tutorials: