How to implement a better login method than passwords – in 2 hours

Passwords have once again gotten a lot of negative attention, and a steady stream of organizations are moving to more secure and user-friendly identification methods. This is how you can implement mobile phone two-factor authentication (2FA) in only 2 hours.

There is a long row of methods for identifying which customer, employee, partner or citizen is trying to access digital resources such as online portals, e-services, e-commerce sites and corporate IT systems.

“User name and a static password is still the most common method, even though most people have realized its drawbacks in terms of the cost of replacing lost passwords and cleaning up after leakages, the hassle for users and administrators, and the lack of security,” says Daniel Hjort, Director Smart ID Management at identity and security company Nexus Group.

Another common method is using additional authentication hardware, such as smart cards and readers or code generating hardware tokens, to improve security.

“This means that the user identifies herself with two factors: something she has – the hardware – and something she knows – the pin code. This is more secure than only a static password, and can be a good solution. But it is also even more expensive than passwords, and also even more of a hassle for users and administrators,” says Hjort.

Would you like to get ahead of security issues? Download Guide: The IT manager’s cheat sheet

How to accomplish strong authentication today

The most cost-effective and user-friendly way to accomplish strong authentication today is to let the user’s smartphone act as the second authentication factor, according to Hjort.

“The reason is that pretty much everyone already has a smartphone, and that it is kept close to us day and night. To use hardware that the users already have and love is such a straightforward and obvious way to do this, that I am convinced it soon will be the totally dominating method. There are different solutions and ways to implement mobile 2FA, and some only take two hours.”

The first step is to do research on the internet on what mobile 2FA solution suits your organization the best.

“Many suppliers let you test drive their solution for free, so do not sweat over the decision too much,” says Hjort.

Then you register online with the supplier of your choice, and copy the code snippet you are provided in the supplier’s web portal.

“You paste the code snippet into the code of your online portal or e-commerce site, and bahm, the users are asked to authenticate with an app in their mobile phone when they attempt to login to your digital resources. All of this should take you no more than two hours – otherwise the supplier’s web portal is not up to snuff,” says Hjort.

If there already is a commonly used mobile authentication app on your market, such as BankID in Sweden, you can direct your users to that.

“Otherwise you can point your users to your 2FA supplier’s mobile app, either as it is or branded in your organization’s name. In this case you also have to issue electronic IDs yourself to your users.”

There are different methods and processes for issuing electronic IDs (eIDs), and even though most of them mean you will pass the two-hour mark for the implementation of the new 2FA solution, it is much less complex than most people think, according to Hjort.

“Just ask your supplier for guidance, and you will be up and running much sooner than you expect. And there are initiatives like Swedish BankID going on all around the world, so even though issuing your own eIDs to your users can have several benefits, you soon do not have to do it if you do not want to,” says Hjort.

Download Guide: The IT Manager's cheat sheet - get ahead of security issues