Mobile and 2 Factor Authentication

paypal2factorauth.pngIf you are offering an app that needs stronger login methods then you should take a look at 2 factor authentication. In summary, you force users to login using their usual username/password and additionally require another id, typically a PIN that’s only valid for a short time. This is the same as the smart cards/tokens companies provide to employees to login via VPN. In mobile solutions, this usually translates to sending the PIN to the user via SMS when they attempt to login.

First some advice as a user rather than a developer: It’s little known for some reason, that both Google and PayPal allow you to use these authentication schemes. Google has an Authenticator app that you run on your Android, iOS or BlackBerry phone to generate the PIN while PayPal sends its PIN via SMS. Paypal also have a credit card size PIN generator that some users (not sure which exactly) can purchase. If you don’t already use these yourself then I recommend you do as they make your accounts much more secure.

Anyway, if you want to use such a scheme for your app you would do well to look at Paypal’s implementation as it has a few problems you can avoid. The first is that if you login via the mobile web site, rather than the desktop site, it doesn’t send a PIN. Very annoying. The lesson here is to make sure you cover all the ways the user is likely to login. The second problem with the PayPal implementation is that you don’t actually need the PIN and can instead enter extra personal information to gain access thus defeating many of the gains of two factor authentication. Lesson two is to think about how the user gains access when, under rare circumstances, they might not have access to the PIN. It shouldn’t be too easy to gain access and you should perhaps use a further second factor method rather than relying wholly on the first factor.