When designing your own digital products, you need to decide if multifactor authentication is needed and, if so, how to execute it.
When building an application or website where your end users or employees can log in, you have to make a choice:
Is a password alone enough to secure their access and account details?
If it’s not enough, how do you want to incorporate two-factor authentication (2FA) or multifactor authentication (MFA) into the process to enhance security?
There are a variety of authentication methods you can include when developing the login procedure for your website or app. In this post, we’re going to look at how multifactor authentication works, when to implement it and when to choose 2FA over MFA.
Multifactor authentication is a security procedure during login that requires users to confirm their identity using at least two different methods. The goal is to help prevent anyone who is not the user from gaining access to their account.
Let’s say you’re building a digital product with a login. For example:
Traditionally, the login screen would ask for the username and password.
In 2000, CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) was created and Google brought it to the mainstream in 2009.
This test often shows a series of letters or numbers or a simple math equation. When the user enters the correct answer or repetition of characters, they are deemed safe to log in or enter the digital space.
reCAPTCHA is an offshoot of CAPTCHA. This test scans letters, numbers and sometimes images from real books. Users again have to provide a correct answer or input to get through the digital barrier.
Then we started seeing this “Verify you are human” checkbox, this one is on the Indeed website and it’s powered by Cloudflare:
Another form of this you may have encountered is an image puzzle. The most common one is the image broken up into 9 boxes. You need to select the boxes that show the image from the prompt.
For example, I just saw this when checking out on the Tesseract Medical Research website:
There are ways to make these kinds of puzzles more complex, like what Zocdoc does here:
Users not only need to drag the puzzle piece into the matching puzzle piece, they have to do it in a reasonable timeframe.
Technically, these are all forms of two-factor “authentication.” The goal, though, isn’t to confirm the user’s specific identity. It’s to confirm that they’re not a bot scammer trying to bypass the login screen through nefarious hacking methods.
But bots aren’t the only ones we’re trying to keep out of our users’ accounts.
Today’s multifactor authentication methods are much more secure than the ones aimed at bot-driven scammers. Today’s MFA methods are designed to prevent a different person from getting into someone’s account.
Here are some examples of two-factor or multifactor authentication methods than can be used to prevent unauthorized access to someone’s account:
Although they’re not as commonly used these days, security questions used to be one of the more common forms of MFA used in previous years. Questions would include things like your mother’s maiden name, the street you grew up on and your childhood pet’s name.
While you might be hard-pressed to find a website or app that still employs security questions during the login process, they’re still out there. PayPal, for instance, collects this information from users, likely as a backup if their PIN code fails to work.
What’s good about PayPal’s security questions is that they steer clear of the questions we frequently answered in the past. For instance, here are the current questions offered:
This way, if those prior security questions were leaked somewhere on the web, hackers may find it a more difficult to get past this verification step.
What’s surprising is that security questions aren’t used that much these days. My guess is because it’s seen as too much effort on the part of the users. Whereas with the other methods we’re going to look at, this one requires accessing personal memories and then typing out a response. More modern MFAs can be completed in a few taps (if that).
With this method, the user first enters their username and password. Then, they’re sent a one-time passcode to one of their designated forms of contact—SMS, phone, email or WhatsApp.
Some applications give users a choice during login, like Discover which allows them to receive a text message or phone call.
When the message shows up, it’s typically a six-digit code like this one:
This can be an effective way to verify the identity of a user. However, if someone has stolen their device, this PIN code won’t be able to keep bad actors out.
There are a number of authentication apps that users are able to install on their mobile devices. Google Authenticator and Duo are the most popular. In order to use the authentication app, the user must scan a code from the application into it.
For example, these are the instructions provided by Instagram in the security center on how to enable MFA:
The user then copies the key (string of numbers and letters) or scans the barcode/QR code into the app. Once entered, the user will retrieve a time-sensitive six-digit code in order to log back into Instagram.
Similar to the PIN code method, this one isn’t foolproof as someone with access to the user’s mobile device can retrieve the authentication code.
There are typically three kinds of biometric data you can request from users to authenticate their identity:
Most mobile devices these days offer this option as a way to keep users’ devices locked and private. For instance, here’s what Samsung offers from the security settings:
When enabled, only the device/account owner’s face or fingerprints will open it up.
It’s not just mobile devices that use this type of MFA either. Mobile apps do as well. That said, it’s very rarely the primary MFA method offered. One of the more likely reasons is accessibility. For instance, it may be easier for less tech-savvy users to input a code rather than figure out how to set up and use their fingerprints to unlock an account.
Considering how difficult it can be to hack someone’s biometrics, I suspect this will become a more common MFA method over time.
Passkeys are one of the newest MFA methods. Sort of. Typically, if passkeys are enabled, then the user doesn’t need to enter a password every time they log in (though a password itself is needed to create the account in the first place).
Biometrics are a form of passkey. However, there are other ways to set up passkeys for your application.
One option is to connect the screen lock passkey of the device being used to the application. So, when they log into the app, they enter their device’s code to log in. Canva, for instance, offers this as an option along with biometric scanning.
The user has a choice as to where they save the passkey. It can be through their device. The other option is to save it on a physical security key.
PayPal also offers a physical security token option for users. It’s not easy to find though. It’s tucked away under “Additional Security Features.” However, for users who are extra serious about safeguarding their financial data, using a physical USB device to verify their identity can be a good way to go about doing it.
The biggest risk with this method is losing the security key. Because if you lose that USB device or the unique passkeys associated with your device or account, you could be permanently locked out.
That’s why it’s important to enable multiple factors of authentication and not just one backup to your password. So, if you’re going to use passkeys, make sure to also enable SMS messaging or use an authenticator app.
There are a number of things you need to ask yourself when setting up the security system for your login procedure:
The difference between 2FA and MFA is that 2FA only has one additional authentication method outside of the password. MFA has two or more.
So, does it really matter which one you use? Sure it does.
For starters, think about usability and accessibility.
There may be certain methods that users aren’t comfortable using or are unable to use. Think about users who don’t have smartphones or who rarely use them and don’t know how to do something like install Google Authenticator.
This is why it’s important to enable multiple methods that ensure that everyone has the option to add extra protections to their account. And only requiring 2FA or MFA when it makes sense.
Then, you have to consider the user experience.
What is the purpose of your application and what kind of data is stored within the user’s account? If it’s not complex or super sensitive, do you really need to put them through the rigamarole of verifying their identity multiple times or using different devices in order to do it?
You don’t want your users feeling stressed or annoyed every time they have to log in.
Also, take into account the risks.
If you’ve built an application that operates within a highly regulated space like healthcare or finance, strict MFA procedures may be a necessity.
Another way to think about this is by user. Not every account holder may have access to sensitive or privileged data. In that case, it might be beneficial to enable 2FA for lower-risk users and MFA for higher-risk ones.
According to CISA, the most popular password used in the United States is 123456.
This is just one reason why it’s critical that web developers enable MFA when building apps and websites. While we’d love to believe that users care about their data security and privacy (which endless surveys have demonstrated), we know that many of them don’t take the right steps to secure their accounts.
It’s not their fault, really. Think about how many accounts you have created or logged into in the last month. Does your brain have the capacity to generate a unique password for each of them and then recall it? Probably not.
While there are password generator and storage apps like Zoho Vault and 1password that can help with this issue, many people don’t use them or even know they exist. What’s more, these unique passwords can still end up on the dark web and available for purchase and exploitation.
Because of this, we need to enforce better security practices at login. The early CAPTCHA and puzzle tools helped with the bot problem, but not entirely. And MFA methods like authenticator apps and PIN codes are good for defending against bad actors, but aren’t entirely hack-proof.
To help keep your users’ information safe, equip with your app or website with multifactor authentication. So long as you give your users some choices and that they don’t intrude on their experience much, MFA should actually help you build customer trust over time.
A former project manager and web design agency manager, Suzanne Scacca now writes about the changing landscape of design, development and software.