Clickatell logo
Information Security

How two-factor authentication can improve your application security

2FA for improved app security

You’ve put countless hours into the development of your application, an impressive interface and enjoyable user experience. Now go the extra mile by offering secure transacting too. A simple username and password combination is no longer enough to keep your users safe, as fraudsters are now targeting mobile apps.

Why SMS two-factor authentication?

Users are enjoying music, messaging, recipes and more on their phones, so it makes sense to keep verification in the same place, with something they carry on them all the time. Authenticate transactions – for example, purchases or password changes – with an OTP sent via SMS.

Why phone verification? Users tend to have the same phone number for years and phone numbers are difficult to fake. If you are aiming your app at an international audience, an authentication API teamed with a reputable SMS gateway makes it easy to communicate with any user, anywhere, in any language. You can also set OTPs to expire within a few minutes or hours, which means fraudsters can’t reuse them. It’s easy to copy and paste a password into an app to authorize an interaction.  Finally, SMS authentication is cost effective too – no additional hardware is required.

When to add extra verification steps for application security

Each app is different and you need to think about the touch points or data that could put your app at risk. If you were a hacker, what would be the information you could be after – aside from obvious things like login information and credit card details? For example, if your app gathers photos or sensitive health information, consider how you can put extra security controls in place to protect those assets.

Typically, these are the scenarios where extra verification is a good idea:

Sign up: Users don’t access their account dashboard as frequently as they might on a desktop computer so you need to ‘catch’ them at sign up. Be sure to ask for a mobile number up front – explaining that this will be used for verification purposes – then verify their identity via SMS on their very first sign-up attempt.

Logging in on a new device: If a user accesses an account from a new tablet for example, or a new IP address, ask for additional verification.

Resetting passwords: One of the most common ways for hackers to get into user accounts is through phishing emails, so it’s a good idea to verify a new password with an SMS OTP.

Certain account changes: There are certain updates a user can make that could put their information or billing at risk – for example, adding a beneficiary or upgrading to a pricier payment level. Flag these and add extra verification steps.

Payments: Whether a user adds a new credit card, activates one-click payments or even each time a payment is made (or loyalty points are used for payment), you could ask for extra verification to give them additional protection.

Optional security measures:

  • Each time they log in: This is the ultimate security – allowing a user to choose mobile authentication each time they log into an app. Many large companies such as Twitter, Facebook and Gmail offer this service.

  • When there is unusual behaviour on their account: If a user suddenly deviates from their normal behaviour – making a lot of purchases in a short amount of time or buying things they wouldn’t normally buy – this could also be flagged and a verification step could put an end to possibly fraudulent activities.

  • In-app news/notifications: You could encourage your users to opt in to extra verifications steps if you have a news/notifcation service built into your app. You could even unlock some kind of reward if a user chooses extra security. It will demonstrate to your users that you take their security seriously.

  • Marketing newsletters: Use your newsletters to educate users about mobile app security. Gmail, for example, sends out periodic security checklist marketing mails that encourage you to activate two-factor authentication.

By offering data encryption, payment gateway verification (such as Verify by Visa) and SMS two-factor authentication, you’ll be in a strong position to safeguard your users from fraud. SMS two-factor authentication is cost effective, relatively easy to implement and works on a global scale.

Take a look at Clickatell’s authentication API for WordPress, with simple instructions on how to add two factor authentication to your application.


Explore other articles

Step into the future of business messaging.

SMS and two-way channels, automation, call center integration, payments - do it all with Clickatell's Chat Commerce platform.