What is 2FA
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.
SMS Text-Message and Voice-based 2FA
SMS-based 2FA interacts directly with a user’s phone. After receiving a username and password, W5 via Authy sends the user a unique one-time passcode (OTP) via text message. A user must then enter the OTP back into the application before getting access. Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code. While not common, it’s still used in countries where smartphones are expensive, or where cell service is poor.
Depending on the nature of the data being stored within your W5, this level of 2FA may not be secure enough. In fact, SMS is considered to be the least secure way to authenticate users. Because of this, many companies are upgrading their security by moving beyond SMS-based 2FA.
Push Notification for 2FA
Rather than relying on the receipt and entry of a 2FA token, W5 via Authy can now send the user a push notification that an authentication attempt is taking place. The device owner simply views the details and can approve or deny access with a single touch. It’s passwordless authentication with no codes to enter, and no additional interaction required.
By having a direct and secure connection between the W5 service, the 2FA service, and the device, push notification eliminates any opportunity for phishing, man-in-the-middle attacks, or unauthorized access. But it only works with an internet-connected device, one that’s able to install apps to. Also, in areas where smartphone penetration is low, or where the internet is unreliable, SMS-based 2FA may be a preferred fall-back. But where it is an option, push notifications provide a more user-friendly, more secure form of security.
Using 2FA in W5
W5 supports 2FA by making use of the Authy service. After signing up for an Authy account and adding an application registration within the Authy console/dashboard, W5 can be configured to accept 2FA authentications. W5 additionally supports the disabling of SMS- and Voice-based 2FA to ensure the most secure experience.
Currently the W5 Windows application and W5 Web API support 2FA authentication. If you also need your W5 web portal covered by 2FA, please let us know.
For assistance with setting up Authy for use with your W5, please contact our Customer Support.