5 Tips from Security Pros for Adding Two-Factor Authentication to Your Website

Don’t reinvent the wheel, use cloud-based two step authentication, add several authentication methods, use adaptive authentication, and encourage users to activate 2FA

Last month (July 2021) cybernews reported a leak of 8.4 billion passwords. Numbers-wise, that’s potentially passwords of the entire online population twice over. Sadly, reports like this one become more frequent. They don’t even astonish us anymore.

There used to be a time when enforcing a strong authentication password was enough to protect the accounts of your customers. However, nowadays multi factor authentication is the only infallible way to safeguard your user’s credentials. Especially if you store sensitive information.

Today we are going to share 5 professional tips for adding 2FA authentication to your website.

1. Don’t reinvent the wheel and integrate with one of the existing two-factor authentication providers

Yes, it is absolutely possible to build your own 2-factor authentication solution for your website. But do you really want to do that?

Just think about it for a minute:

1. A proper 2FA requires a number of certifications and checks. And those can be expensive.
2. Then you’ll need to think how you are going to deliver the one-time password to your website visitors:

• Do you send SMS? You’ll need to find and integrate with a reliable SMS provider with global coverage.
• Or do you send a push notification? But implementing such functionality requires a good understanding of how the Apple Push Notification Service and the Google Android Cloud Messaging services operate. And what if the user’s phone loses connection, or can’t accept push notifications for whatever reason?
• The safest way to protect your users is 2FA login with a TOTP hardware token. But how do you make them for all of your website visitors?

Building your own multi factor authentication solutions results in quite a lot of code and dependencies. Only very good, and quite expensive, developers who have knowledge and experience in the security software development can be trusted to do it. If the 2 step verification suddenly breaks down no one will be able to login. And if the developers miss a security vulnerability it’s an open door for a lot of trouble.

Integrating with an already existing trustworthy provider is the safest and cheapest option.

| READ ALSO: 2FA Security Flaws You Should Know About

2. To save time and money use cloud-based two step authentication services

Cloud-based two factor authentication solutions don’t require as much resources as on-premise solutions do. There’s no need to set up any environments, install expensive equipment, or hire additional staff to maintain it.

A cloud MFA solution operates as a SaaS model. So, as with any other SaaS, you pay only for those options which you actually use. And some providers, like Protectimus for example, offer up to 10 tokens support for free.

Another advantage of cloud solutions — they are very easy and fast to set up. You can have 2-step authentication on your website activated within minutes.

| READ ALSO: On-Premise 2FA vs Cloud-Based Authentication

3. Let your users choose from several authentication methods

There’s more than one type of security token: 2FA apps, chat bot TOTP delivery in various messengers, hardware token etc. Your users have to be able to choose the one they prefer. This way you’ll get loads of points from your customers for improving the UX and lowering the irritation of having to go the additional step to log in.

To enable this on your website you need to integrate with a two-factor auth provider that supports various types of tokens in one account.

The only 2FA token we strongly don’t recommend adding is SMS. It is not secure enough and will cost you quite a lot.

| READ ALSO: The Pros and Cons of Different Two-Factor Authentication Types and Methods

4. Use adaptive authentication to stay on your users’ good side

Noone likes to type OTPs each time they log into a website. Especially if they use the said website on a daily basis. A lot of users simply turn the two-way authentication off altogether. With the adaptive authentication option your customers won’t have to enter one-time passes every time. And will still stay protected.

Adaptive auth is used to assess the possibility of a breach when users undergo the authorization process. The solution checks the users’ environment and asks for an OTP code only when it notices a mismatch. Like a new device the user never tried to log in on.

| READ ALSO: Duo Security vs Protectimus: Features

5. Encourage your users to activate dual factor authentication

Imagine you’ve found your perfect 2FA provider, integrated the solution with your website… and then what? How do you make your customers actually use it? Forcing it on users is not a very good idea.

Start with an informational campaign. Tell your customers how it will benefit them. Or better yet, reward them for enabling 2FA. If your business model allows for it of course.

Epicgames is a great example. For securing their Epicgames accounts with 2-way authentication the gamers receive extra prizes in the Fortnite game. Isn’t it brilliant?

When most of your users are on board with 2FA you can make it obligatory.

Read more

• Best Protectimus MFA Features for Financial Services Cybersecurity
• Securing VPN with Two-Factor Authentication
• How to Add Two-Factor Authentication to Outlook Web App (OWA)
• Two-factor authentication for Windows 7, 8, 10, 11
• Two-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus
• 2FA Chatbots vs. SMS Authentication
• 6 MFA Myths You Still Believe