Two-Factor Authentication in Modern Payments Ecosystem
The two-factor authentication, or 2FA, is a variety of strong customer authentication, which requires the user to enter two different pieces of evidence of their authenticity. Historically, the most popular evidence of authenticity was the password, known only to the user. In 2FA, it is called a knowledge factor, as a password would be a piece of the user’s knowledge. In the modern world, a password of virtually any complexity can be compromised, which is especially unacceptable with the financial application.
2FA introduces an additional factor, usually what is called the possession factor. A user can be further identified by something they are constantly in possession of. It can be a unique software build, a key-generating USB token, but the most popular option is the mobile phone. It allows generating or getting by SMS the unique tokens, that can be obtained only by the genuine user, and that can authenticate them better than simply a password.
Why Strong Customer Authentication?
Since January 2013, Strong Customer Authentication (SCA) is recommended for all Internet payments in the EU. There are a few implementations of SCA that are viable for Internet payments, such as 3D Secure or dynamic card verification value, but the 2FA remains the most comfortable for any non-card transactions: wire transfers, invoice payouts, or Internet direct deposits.
As technology progresses, the possibilities to fraud people evolute as well, and financial operations can’t be secure enough without 2FA. Hence, since September 14, 2019, all online payments will have mandatory SCA.
How Can it Save My Funds Anyway?
With 2FA, you can have any of two factors compromised while keeping the access open only to you. If your password is hacked, thieves still won’t have access to your account as the 2FA codes will be still received only by you. If your authentication token or phone are stolen, they will have to know your password to use it. Additionally, either will also be secured by a separate password. Both variants will give you time to sort out the issue, and your funds will be safe.
How to Make Sure My 2FA is Safe?
2FA is safe if it works for you. The only unsafe thing that may happen to you is to lose your possession factor, which is not necessarily equal to losing your phone or token. There are a few measures to make your 2FA experience safer:
1. Back up your emergency recovery codes. These unique codes are given to you during the 2FA set up and give a one-time possibility to disable 2FA. The best option is to save them in an encrypted file on a safely hidden thumb drive or to print and hide the paper. These codes work only for once, so putting them on your everyday device or in the cloud is not the best idea.
2. If your codes suddenly stop working, check your device’s time setting. The 2FA codes, if generated on a device, are generated using the current time and are valid for only 30 seconds, so if your device’s time is off from UTC for more than 30 seconds, your codes won’t work.
3. If your provider supports multiple options, consider using something except SMS or Google Authenticator. These are the most popular options, so hackers naturally try to hack them the most. Who knows when they will do it? If your financial partner works with Authy, LastPass or Authenticator Plus, better stick to these options.
Although it may sound complicated, 2FA is pretty easy, takes up only seconds of your time, but multiplies the security of your financial account for hundreds of times. In lots of cases with hardware tokens and authentication SMS, you will get the code almost instantly, and the security of your valuable assets will only take the time needed to enter six digits.