How does Verigator make 2FA better?
Let’s face it. Two-factor authentication is still widely under-used. Google painted an alarming picture: 90% of its Gmail users haven’t enabled 2FA in any form.
That’s nuts. Gmail has 1.2 billion active users and most of them don’t use anything more than a password to protect their accounts. But email accounts aren’t the only concern –what about everything else? Internet users average (globally) over 90 online accounts. Americans have an average of 130 online accounts and people in the UK have 118 online accounts.
It only takes one hijacked account or account breach to have an impact on someone’s life and become costly for businesses.
Businesses know they must put in the effort to protect their users –and GDPR mandates it. Yet UI/UX developers and product owners walk a fine line between user experience and securing their customers.
Which is why we built Verigator a certain way.
The most straightforward way to get users to use 2FA is to force it with SMS PIN codes. It’s common for businesses that provide online accounts or mobile apps to ask for mobile phone numbers to verify new users through SMS PIN codes. They’re turning to the same technology for two-factor authentication –that is, send an SMS PIN code every time a user logs into an account, whether from a web browser or an app.
Messente’s API does both phone number verification and two-factor authentication from the same API. Technically, they both do the same thing, but the logic from the users’ perspective is that they’re verified with a PIN code when the account is created, then they “authenticate” every time they log in with a password and a PIN code.
Verigator, our 2FA mobile app, doesn’t use SMS PIN codes for two-factor authentication, though. It uses six-digit one-time passwords that expire after a certain period of time, usually 30-60 seconds. These time-based one-time passwords (TOTP) are calculated independently by both the Verigator app and Messente’s API, so they’re safe from SS7 vulnerabilities, which have put SMS under some scrutiny. Only the user-entered TOTP is transmitted to the API by the online service in questions, as the online service checks with Messente’s API if the correct TOTP was entered before access is granted.
Users install the app to their iOS or Android device, create an account, which is verified via an SMS PIN code. And here’s the magic: Any online service that uses Messente’s API will automatically appear in a corresponding user’s Verigator app (assuming the user provides the same mobile number.) Even better: A push notification is sent to users when they log in, so they don’t have to search for the account in the app.
That’s right, no scanning of QR codes or any other steps to get users onboard with TOTP 2FA. Brands and businesses can utilize a single API to tackle phone number verification, SMS 2FA, and TOTP 2FA. Encouraging users to use Verigator keeps the seamless simplicity of sending SMS PIN codes, while being that much more secure, making the user sign-in experience much less cumbersome.
Verigator users can also use the 2FA app with any other online service that doesn’t use our API, as long as they have a QR code to scan. While it defeats the purpose of a seamless single API approach for SMS and TOTP, it allows users to minimize how many 2FA apps they install.
So if you’re already using SMS PIN codes to authenticate users every time they log in, have you thought about how to make it better?