While Two-Factor Authentication (2FA) is one of the more robust security approaches to consider, there are alternatives depending on your business and security needs. We'll outline some of those in this article.
There's little doubt that improving the security of your user accounts is a wise investment of your engineering time. While the benefit can feel indirect and non-tangible, investing in security provides powerful benfits to your brand, as well as the Personally Identifiable Information (PII) that your users entrust you with.
The traditional route products take is to consider and implement
a Two-Factor Authentication (2FA) system (either through a
security code or SMS notification). While that is an established
and mature technology, it's not without it's limitations.
Namely, it increases friction for your users, and can lead to a
false sense of security. As a result of this, considering
alternatives (or additions) is vital.
Don’t be mistaken, two-factor authentication is important and you should make sure you enable it everywhere you can. However, without a proper understanding of how real attackers work around these countermeasures, it is possible that people are misled into believing that, once it is enabled, they are safe to log into just about anything and feel protected. Amnesty International
Notifying your users when there's an unpredictable or suspicious login on their account can help communicate a sense of security and protection. This, however, should be balanced with the authentication features your product already employs.
For example, if your product forces a new login every 3 days, then it might be over-zealous to email users each time there's a new login on their account. However, if your product cookies users in for greater than 14 days, then a new login email notification could strike that balance between informative and aggressive.
Native app (iOS or Android) notifications is something we'd strongly consider for any new login events. The reason for this is simple: they're relatively non-intrusive, while balancing the additional security value.
Users are generally comfortable with app notifications due to the precedents that app developers and device makers have set. Even though the vast majority (>99%) of these login app notifications will have beeen initiated by the user, the cost (from a user experience point of view) is so low that it's something we'd consider a win.
This one is tricker, and generally only executed by larger, more mature products, that exist within a regulated or sensitive field (for example, banking, cloud computing, governement).
The executions we've seen here (and would recommend for highly sensitive data) is access control settings that include things such as IP Address restrictions, maximum failed login attempts, Geo restrictions, etc.
For example, with IP Address restrictions, it's plausible that users (or providers) may want to restrict access to specific IP addresses (or rather, limit any IP addresses from VPNs or TOR nodes).
This is one of the most aggressive security tactics that a product can execute, and as such introduces a number of user experience questions. But due to it's power, it is often employed by large companies and organizations.
The natural question is how do you determine which alternatives to invest in? Email Notifications, App Notifications and Access Control Settings all have their pros and cons, so thinking through which is appropriate will take some time for Product Managers.
An easy filtering here is whether or not you have a native App (or browser extension). When that's not the case, then App Notifications won't fit.
Access Control Settings are recommended, but only when it fits stringent requirements from a data and privacy point of view. This one can be tricky as well, since it adds a considerable amount of user friction. But it's by far the safest.
Finally, Email Notifications can be the right decision due it's passive nature (you're not interupting a user's experience, but rather supporting it through extra communication). But a draw back here could be the frequency of sending those emails and the engineering required to do so.
2FA is a powerful, mature approach to account security. While it has it's drawbacks, we strongly believe it's better than not using it. But we believe it's an approach (or technology) that should be used in conjunction with others.
Namely, Email Notifications, App Notifications or Access Control Settings should be considered alongside 2FA. Special consideration should be made towards the user experience, but depending on the depth and level of sensitivity that your product requires, combining these approaches would result in one of the more secure systems for your product.
Secure your users accounts with a few lines of code.
