If you run a business, then the answer is; YOU! Nearly every service and process involve “logging in”. It’s often taken for granted but we do it on average 45 (1) times per day across laptops, mobile phones, tablets, websites, ATMs, telephone payments and many more devices.
A lot has been written about the security benefits and relative strength of 2-Factor and 2-Step authentication (spoiler: 2-Factor is generally more secure (2)) but it seems the user experience is often overlooked. Strange when you consider it takes up so much of your day.
What is 2 Factor Authentication? It’s a process in which users log-in by simultaneously providing two of the following 3 factors: something you Have, something you Know or something you Are. 2-Step authentication is similar but you present your factors in a sequential process i.e. you provide something you Have/Know/Are and, if successful, you’re asked to do so again.
A great example of 2-Factor authentication is your Chip-n-PIN credit card. You can buy dinner at a restaurant if you have the Card (something you Have) and type in the PIN (something you Know). Both factors have to be present at the same time to work and you (or an attacker) cannot use one or the other independently.
The most common example of 2-Step authentication is where you use an SMS code in addition to the password. First, you enter your username and password and if correct, you receive a text message with a code which also needs to be typed in. Here you are providing something you Know (password) followed by something you Know (text code) – some might argue the code is proof of something you Have (the phone) but for this analysis we’re happy with either interpretation.
So, taking it back to the top, why do we care?
Relative to passwords, most 2-Factor authentication imposes additional complexity in the form of hardware or user steps. 2-Step authentication, by its very design, will always introduce additional complexity and steps. Whilst there are many different 2-Step authentication schemes, let’s take a closer look at SMS text authentication:
- Type in username and password – submit and wait for approval. (For simple password logins this is where the journey ends, for SMS text authentication this is only the beginning!)
- Choose or confirm mobile number – submit
- Wake up mobile, login and wait for text
- Launch SMS message app and read or memorise code
- Type code into website – submit and wait for approval
Every step above adds time, challenges your users and introduces a point of failure. Looking at the same steps in terms of failure and you get
- 11.4% of users fail to enter the correct password on websites (1) (3)
- 38% of users don’t have their phone present when asked to authenticate (4)
- 3% fail a biometric and 2.3% fail a pin or password to login to the phone (1)
- 11-20% of SMS OTP texts never arrive increasing to 50% if the phone number hasn’t been verified (5)
- 10% of users fail to transfer a six-digit code correctly (6)
That implies less than 50% your users complete the SMS login process which takes 30-60 seconds and has to be repeated again and again until they either log-in, lock-out or leave.
If you care about your business then you care about your login!
In contrast MIRACL’s PIN based authentication has a failure rate of 0.5%-3%, takes 2-3 seconds and costs less than 0.5p (on volume). To see a head-to-head comparison of MIRACL’s user friendly 2-Factor authentication against SMS 2-Step check out this 30 second VIDEO. To book a demo visit https://calendly.com/miracl/demo.
MICHAEL TANAKA, CCO of MIRACL – has over 30-years’ experience presenting complex technologies and concepts to a diverse range of technical and business audiences.
(1) https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mare.pdf
(2) https://miracl.com/blog/fido-critique-part-1-of-3/
(3) https://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-brostoff-2.pdf
(4) https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
(5) https://www.paymentscardsandmobile.com/50-one-time-passwords-fail-arrive/
(6) https://hackernoon.com/why-do-most-people-ignore-two-factor-authentication-1bbc49671b8e