Two factor authentication is an attempt to increase security over the usual user names and passwords. Traditionally passwords are chosen by the user, and can often range from just about adequate through to insanely poor. For many typical users their password is ridiculously easy to crack, and is used on most websites they visit. (For the record, “Fido32!” is not a reasonable password choice, and it’s actually astonishingly easy to break!)
Two factor authentication is any two from:
- Something you know: usually a password or sometimes the answer to a security question
- Something you have: A security code sent to your mobile, or a one time code generator (like banks sometimes use)
- Something you are: biometrics such as retina scan or finger prints
To counteract this tendency for overly weak passwords, your website, or your app can send the user an SMS with a code they must enter on the login screen. This then becomes the second factor of two factor authentication. Security is increased by requiring two routes simultaneously to the user: The web login screen, and their mobile. Any attacker attempting to break into an account is unlikely to have access to both.
World Text make it easy to implement two factor authentication, so you can generate verification codes on demand, and increase the security of your service.
Sites enforce ever more stringent rules regarding the creation of passwords, in the hope of stopping their end users “securing” their account with passwords such as “fred11”. It’s common to enforce use of symbols and mixed case. It’s common to request a minimum length – often around eight characters. It’s also depressingly common to have a maximum around 12 or 16 characters. Very few sites allow you to put in a lengthy pass phrase without hitting an arbitrary maximum.
“RaNd0m_1” counts as a “complex” password as it uses alphabetic, numeric, symbol and mixed case. It will trigger the little password strength indicator many sites now have and show as good. It’s also rather easy to break. Chances are many users are going to “remember” this via a post-it on the monitor.
On the other hand “especially separate tuesday table” is significantly stronger than the example above even though it doesn’t use mixed case, numerics or symbols, by virtue of length. It’s also easier to remember. Users have been trained for years to prefer the artificial complexity of the first example over a lengthy, but memorable and secure key phrase. Many web password strength indicators would “fail” this pass phrase as weak as they’re looking for complexity not security.
So, in a world where poor passwords are pretty much insisted upon it’s good to have another measure we can implement to counteract the common weakness of user-chosen passwords: Two factor authentication.
How Do I Implement Two Factor Authentication?
It’s really rather straightforward!
There are three simple steps needed.
First we need to collect the username and mobile number.
Second we need to generate an authentication code, and send it to the user’s mobile.
Last validate both the traditional password, and compare the security validation code they’ve just entered against the value we just texted them.
Essentially that’s it.
Tomorrow I’ll work through an example of implementing two factor authentication using the v1 API and PHP, and follow that with a similar example using the v2 API and our PHP helper class.