Question: What Is Two Factor Authentication?
Despite warnings, many people use the same password on multiple websites. So if their password is discovered (or hacked) on one website, their accounts on other websites get vulnerable too.
Answer: Ecommerce websites are specifically prone to hacking as they transact money. If someone learned your password on an ecommerce website that stores your credit card details, they could misuse that card extensively before you realize it.
That explains why a mere password is inadequate authentication on an ecommerce website. If not a password, what else could you ask for? Before we answer that question, let us understand how authentication works:
Password based authentication relies on "what you know" evidence. If you know the password you gain entry, otherwise you are not allowed access to the account. But "what you know" is not the only acceptable type of evidence for authentication. There are two more types of authentication based on:
Example of Two Factor Authentication
The "who you are" category requires the use of biometric identification. This could be something as basic as a thumb impression. But no ecommerce player can expect customers to purchase biometric readers. Therefore the "what you have" category of evidence should be preferred by ecommerce players. Here is an example:
When a customer requests login, the ecommerce website infrastructure can create a one-time-password and message it to the customer's cell phone. A combination of the user name, password, and the one-time-password would authenticate the customer.
Advantage of Two Factor Authentication
The clear advantage of two factor identification is the increased level of security. The higher the security, the lower the incidence of fraud. The lower the incidence of fraud, the higher the confidence to transact online. Thus the ecommerce player who implements two factor identification gains. So does the ecommerce industry as a whole.
Disadvantage of Two Factor Authentication
Increased security causes increased inconvenience to the user. There are websites that allow users the option of activating two factor authentication. But it is observed that a large proportion of users do not opt in for the higher level of security. You could argue that they have not thought it through, but it is as likely that they cannot tolerate the added inconvenience.
The Legal Angle
If fraud takes place and the customer holds you responsible for lax security measures, you would have a stronger case if you have implemented two factor authentication on your ecommerce website.
It Does Not Stop at Two
Extending the concept of two factor authentication, you could also consider multi-factor authentication. The premise remains the same -- as you increase the number of categories of evidence required for authentication, the likelihood of fraudulent authentication reduces.
That explains why a mere password is inadequate authentication on an ecommerce website. If not a password, what else could you ask for? Before we answer that question, let us understand how authentication works:
Password based authentication relies on "what you know" evidence. If you know the password you gain entry, otherwise you are not allowed access to the account. But "what you know" is not the only acceptable type of evidence for authentication. There are two more types of authentication based on:
- who you are
- what you have.
Example of Two Factor Authentication
The "who you are" category requires the use of biometric identification. This could be something as basic as a thumb impression. But no ecommerce player can expect customers to purchase biometric readers. Therefore the "what you have" category of evidence should be preferred by ecommerce players. Here is an example:
When a customer requests login, the ecommerce website infrastructure can create a one-time-password and message it to the customer's cell phone. A combination of the user name, password, and the one-time-password would authenticate the customer.
Advantage of Two Factor Authentication
The clear advantage of two factor identification is the increased level of security. The higher the security, the lower the incidence of fraud. The lower the incidence of fraud, the higher the confidence to transact online. Thus the ecommerce player who implements two factor identification gains. So does the ecommerce industry as a whole.
Disadvantage of Two Factor Authentication
Increased security causes increased inconvenience to the user. There are websites that allow users the option of activating two factor authentication. But it is observed that a large proportion of users do not opt in for the higher level of security. You could argue that they have not thought it through, but it is as likely that they cannot tolerate the added inconvenience.
The Legal Angle
If fraud takes place and the customer holds you responsible for lax security measures, you would have a stronger case if you have implemented two factor authentication on your ecommerce website.
It Does Not Stop at Two
Extending the concept of two factor authentication, you could also consider multi-factor authentication. The premise remains the same -- as you increase the number of categories of evidence required for authentication, the likelihood of fraudulent authentication reduces.
