Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Dear Developers, Please Support Two Factor Authentication

DZone's Guide to

Dear Developers, Please Support Two Factor Authentication

Thinking back on a time when her information was hacked, a developer discusses how this altered her development practices and made 2FA seem so much more important.

· Security Zone ·
Free Resource

Mobile is increasingly becoming a part of every consumers’ identity, but the increasing use of this digital channel is escalating the security risks faced by consumers and institutions.

Security is a topic all people in technology know is vitally important, but not all of us utilize best practices. Not practicing what you preach seems to be a trend in most industries. There are healthcare professionals who know how to take the best care of themselves and don't, parents who only buy organic food for their kids and binge fast food, and tech gurus who have the same password for every single account in their name.

A Personal Story

I am guilty of the latter and it led to a really upsetting weekend when some lovely human hacked my mobile account and ordered themselves an iPhone X on my dime. If I would just simply practice what I believe at work (and share with my clients), then it would have easily been a hacking fail. Instead, the super creative name of my beloved childhood pet and my favorite numbers (insert sarcastic eye roll) led to a weekend full of phone calls, paperwork, and getting signed up for over four thousand newsletters from all over the world. I also finally gave in to multi-factor authentication and unique passwords autogenerated by my new favorite product, Last Pass. It is shameful to admit this happened to me, but it happens. To quote my mentor, "You win or you learn." I learned.

Why did I overlook multi-factor authentication? Easy. I don't do anything exciting, I don't have massive bank accounts to drain, and I thought it wouldn't happen to me. I do utilize the highest security practices at work, but when it comes to me, nope. I always used the excuse that it was bothersome and took too long. But all thanks to the really swell person who wanted a free iPhone X, that has changed and, to be honest, it is much faster than having to figure out how to unsubscribe from all those newsletters.

Duplicate Passwords

As soon as it hit me that I used the same dumb password for every account I had, I kicked into overdrive and started looking into security. I felt so violated that someone within a matter of minutes had gotten all of my personal information, and I knew it wouldn't take very long for that to spread to other accounts if they were so inclined. My first conversation was with a nice technical support person at my mobile phone provider. I asked her about setting up multi-factor authentication on my account, and she had no idea what I was talking about. She suggested that I change my password. How she was not well-versed with this question, and how to help me was beyond me. This is a big deal. I started looking into it and found how to activate two-factor authentication (2FA) on my account immediately.

Security Planning

As a developer, I now look at security within applications a bit differently. I will no longer use applications or work with companies that do not implement 2FA, high-security measures and treat my personal information with care. I have done a lot of research recently on how to best implement it within the development process. This requires a massive amount of planning. You have to answer a million questions of how to implement this in your own application.

I brainstormed a list of things that would need to be decided before coding could begin, and it is a long list! Here is what I came up with within just a few minutes of brainstorming:

  • How do you want to store user passwords?
  • What libraries will this require that you bring into your project, and how much time will it take to wire it up to play nice with your code.
  • Will 2FA be optional for your users?
  • How will your app keep track of who uses 2FA and who does not?
  • How do you want users to generate the 2FA options?
  • How will you deliver your 2FA codes?
    • Text messages, phone app, etc.
    • Validation options for your choices.
  • What happens when a user gets a new device or loses one?
  • How long does your 2FA last?
    • Timing requirements.
    • Device requirements.
  • How do you plan to handle suspicious logins or lockouts?
  • And the list goes on and on...

Summary

I could continue to list more questions that need to be answered, but I think it is very obvious that when a company puts this much work into security decisions, they really have their user's best interest at heart. You can obviously outsource this work too to make sure it is handled properly. There are plenty of companies and developers who specialize in security and would be happy to help, guide, or write what it is that you need. Whether or not you build it yourself is irrelevant to the user, they just want to make sure their information is safe with you and it needs to be done correctly.

Businesses, developers, and users should take multi-factor authentication very seriously. You don't have to be cool or exciting to get your information stolen and used against you. I now lock down my personal information like I have crazy high-level secrets in every single account... except for my kid's lunch accounts. I invite hackers to feel free to break in and fill them up!

Explore the authentication advancements that are designed to secure accounts and payments—without overburdening consumers with a friction-laden experience.

Topics:
security ,two-factor authentication ,web security ,data security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}