All security solutions involve finding the right balance between usability and friction. We want to make things hard enough that an attacker won’t try to break in, but easy enough for the intended user to access what’s secured. Figuring out the right balance often depends on what you’re protecting: I’m comfortable with a standard lock on my house door, but an Apple Store installs an alerting system and hires security guards.
As we think about securing more accounts online we see similar calculations for the right level of security. I might be okay with just a password for my account at a local flower shop, but want additional protections for my bank account or email.
The failure of good authentication can result in account takeover (ATO). Not only can this lead to a loss of customer trust, ATO can cost real money in fraudulent transactions. ATO cost companies $6.8 billion in 2019 according to Javelin Strategy & Research.
Cost of account takeover (ATO)
Source: Javelin Strategy & Research
Authentication factors for customer account security
To protect a customer account, we must authenticate their established identity. An identity is usually something like their email address or username, and we ask them for something to prove that they are who they say they are. This authentication comes in one of three types of factors:
- Knowledge factors – something that you know like a password
- Possession factors – something that you have like a key or mobile phone
- Inherence factors – something that you are like Face ID or a fingerprint
The problem with passwords
Passwords became a de facto standard for online authentication because they’re relatively easy to use and unlike a possession factor, you can’t lose a password. Even if you do forget your password, many companies started implementing “security questions” (another type of knowledge factor) for account recovery.
However, as much as we’d like to believe we’re better than this, the website haveibeenpwned.com shows that simple, guessable passwords like 123456 are still incredibly common. That password, 123456, has been seen in data breaches over 23 million times. To compound the issue, a 2019 Google study shows 64% of people admit to reusing passwords across multiple sites. This is a problem because even if someone has a complex password, if they’re reusing it for many sites, a data breach at MySpace or Adobe could lead to the user’s account getting breached on your company’s site through a process known as credential stuffing.
Two-factor authentication to the rescue
In order to protect against credential stuffing and other security flaws with passwords, companies like Twilio SendGrid have implemented two-factor authentication. If you combine any two types of authentication factors, you have two-factor authentication. A classic example in the real world is a debit card (something you have) and PIN (something you know).
Sure, it’s an extra step, but that additional friction is what helps keep your account secure. Possession factors like sending a one-time passcode to a phone, email, or through an authenticator app like Twilio Authy are also harder to breach than a simple password.
SMS based 2FA
While SMS based 2FA is not the most secure method for delivering 2FA tokens, a 2019 Google study “found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.” Combined with a unique, long password, these two factors are enough to secure most accounts.
Time-based one time passwords
Time-based one time passwords (TOTP) is another possession factor that generates unique numeric passcodes based on an algorithm. The inputs to the algorithm include a secret key and the current time, which allows for this method of authentication to be available offline. TOTP also uses symmetric key cryptography which offers increased security compared to SMS. It does require an app download, but apps like Authy are pretty handy to have in your arsenal.
Adding 2FA to your Twilio SendGrid account
SendGrid is requiring all customers to enable 2FA this year. This is to help protect your accounts and maintain your sender reputation. For more details, check out the documentation on how to enable 2FA. 2FA also makes it harder to share credentials, since a one-time passcode is only sent to one person. If you want to allow multiple people to send email from the same account, learn how to invite a teammate to your account.
2FA for the win
Two-factor authentication helps keep you and your customers secure. To learn more about account security best practices, check out our blog post, 7 Best Practices to Protect Your Twilio SendGrid Account and Sending Reputation.