(Authy, June 2018) While more 2FA is being implemented across the net, these numbers need to double or triple ASAP to improve security across the board.
The UK was one of the more active countries for regulatory enforcement of data protection. Fines in 2016 doubled to £3.2 million according to a recent PwC report. Despite this, data breaches grew by 41% in the UK in 2017, and continue to make headlines. (Such as the Wonga data breach which saw the data of nearly 250,000 UK customers stolen.) Globally just under 3 billion (2,889,920,099) user records were known to have been exposed in the last 24 months. Sectors including business, education, and government to health and finance all affected. Organisations of all types urgently need to take steps to improve their security.
Organisations Need to Act
Data breaches are not diminishing. And the onus is on organisations to provide greater security and, importantly, to educate consumers on adequate data protection and the steps the business is taking to secure data. In the UK around 20% of consumers said that they don’t trust businesses handling their data, with only a minority of UK small businesses having cybersecurity risk policies or management in place.
Any business handling sensitive information online should be implementing proactive measures to strengthen their security. First steps typically include increasing access security, and conducting regular tests and audits on data protection.
2FA as a Solution
Two-factor authentication improves on passwords with a second piece of information such as a one-time passcode (OTP) being sent or calculated at the time of login. This can be via an SMS, voice call or generated within an app. Hackers now need possession of the device that is receiving the code before they can easily access the account.
Twilio found that some of the most popular security packages for supporting 2FA have experienced an increase of over 300% in downloads over the last 24 months. But whilst 2FA is becoming more widespread, many websites aren’t 2FA enabled. A quick look at twofactorauth.org indicates only around 50% of the 1,000 most popular websites offer any form of 2FA. One would expect that percentage is likely much lower across the millions of websites on the internet.
2FA technology is also advancing, providing developers more and improved ways to secure accounts. One of the more recent, push authentication, is an improvement over sending an SMS with a one-time passcode. Push authentication presents the user with a rich interface that includes details of the application they are logging into and asking them to “Accept” or “Deny” the request. As soon as the user clicks either button, the response is immediate — either quickly logging in the legitimate user or preventing access to a hacker. This approach is being implemented by the likes of Google, Microsoft, Yahoo, and others.
2FA techniques can be used not only for the initial login, but also other actions which require protection as well – think a money transfer or a cryptocurrency withdrawal. This means that even in the event of a compromised browser, high risk and value transactions can be secured by pushing the authorization off the desktop to a trusted device. It’s important that businesses discourage an over-reliance on passwords among consumers, by directly implementing 2FA into the customer experience.
Consumer Awareness of 2FA is Growing
The good news is that consumers are becoming more aware of security threats, largely due to a string of hacks reported in recent news. As consumers look for a method of security that is more robust than a simple username and password, that drives the organisations that serve them. Support this observation, Twilio found that there has been a 618% increase in users enabling 2FA from 2015 to 2017 via the Authy app, with a rise of 538% in people who have carried out 2FA protected logins over the past two years. Consumers are apparently becoming more security-aware and are open to changes in the way they protect themselves online, with many moving beyond password-only protection.
With 2FA, is the Internet Becoming Safer?
Security features like 2FA protect data even when older security processes fail. Data shows 2FA usage is increasing significantly, which is a good sign online accounts are being better safeguarded. But does this imply the internet is getting safer? Overall, our analysis of applications shows that while 2FA is being implemented more often and users are more frequently protecting their accounts, we need to see these numbers double or triple over what we see today for us to be confident that the internet is safer. And with user-friendly 2FA options like push notifications, businesses are better positioned than ever before to make the method visible to their users or even better, a mandatory part of the login process.