At Verge we take the security of our and our client's data seriously. One of the simplest practices we have adopted to increase the security of our accounts it to enable multi-factor authentication methods for the services we use and the services we provide. Wikipedia's definition of multi-factor authentication is as follows:
"Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are)."
We have used multiple solutions throughout our products and would like to share some of them and help others to understand how they can easily increase the security around their accounts.
External services like Google, Dropbox, Amazon, Digital Ocean, Twillio, and basically anybody who takes account administration seriously offers some sort of two-factor authentication solution. Beyond the standard password, they will usually request a telephone number to which they will send a one time code that needs to be entered in when you log into their application. One problem with that approach is that you have to have a phone number from which you can read your one time code.
Alternatively you can also use an application such as https://en.wikipedia.org/wiki/Google_Authenticator which you can install on a mobile device and which can generate a one time token for you, regardless of you being connected to a mobile network. This is especially helpful if you are in an environment that does not have mobile connectivity or don't have a phone (ex. Google Authenticator works on a tablet).
A third a less common solution is to use a hardware dongle that fits into a USB slot on your computer. The key usually must comply with the Universal 2nd Factor standard (https://en.wikipedia.org/wiki/Universal_2nd_Factor). When you log into the account, the application will request that you press a button on the hardware dongle to confirm that you are in fact in possession of the device.
Each of these solutions matches the definition given by Wikipedia in that in combines, something you know, your password, with something you posses, may it be a phone, a tablet, or a hardware device.
In our experience setting up multi-factor authentication for external services is easy and expedient and we encourage all our clients to look into solutions that fit their needs.
At Verge we have primarily worked with two products for adding multi-factor authentication, Google Authenticator and idQ by inBay. Both have their advantages and disadvantages and we use them appropriately on a case-by-case basis.
Google Authenticator has an extremely wide adoption due to corporate backing. There exist a huge number of libraries to implement it in various programming languages and we have even contributed our own in Elixir (https://github.com/maxneuvians/nio_google_authenticator). The setup of the app for a mobile device is well documented and the ability to get codes, even when not connected to the internet, is great because not everybody who needs a code has a smart phone, but maybe only a tablet. One downside we have found is that user devices often don't have the exact time and will drift, which invalidates the code, or allows the user to little time to enter the code. Sometimes users struggle with reading and typing the code, which leads to frustration and a poor experience. As stated above, we try to use the technology where appropriate.
inBay's idQ technology is the second service that we have used in our products. It works a lot like Google Authenticator in that it requires you to install a mobile application on a mobile device, however, you must be connected to the internet to use it and the device must have a camera. idQ works in that you scan a QR code on their website with your device and it then automatically logs you into our web application as the user you claim to be. When setting up the mobile application on your device you must choose a way to authenticate yourself to the device, either using a pin code or your finger print, if your device allows this. In that sense idQ is the only true multi-factor authentication because you can combine your account password (knowledge), with the device the application is installed on (possession), and your fingerprint (inherence). The application is not perfect in that you always need to be on-line with your device, but we have found that in a majority of our use-cases, this is not a problem.
If you are interested in learning more on how to add multi-factor authentication to your application or services, please drop us a note on our contact us page.