More than most businesses, financial services providers such as banks, accountants, and wealth management and planning consultancies need to protect their own and their clients’ digital assets and grant access only to individuals who have the credentials to view and update them.
Best practices for security today call for two-factor authentication (2FA), which protects accounts from unauthorized data access by requiring a second form of identification in addition to usernames and passwords. That second factor can take several forms:
- Something a user knows, such as a password
- Something they have, such as a smartphone or a hardware authentication token
- Something they are, such as a biometric characteristic — fingerprint, faceprint, voice
Since you’re already asking for something they know — a password — you should, in addition, ask for one of the other factors. Which one?
The best second factor is something that most users will find easy to use and that doesn’t cost them any money they haven’t already spent. Consider something they have: More than 97% of Americans own a cellphone. That means you can send a one-time password (OTP) to their device and require them to enter it on a web form to unlock access to their data.
Many organizations use SMS to send OTPs, since text messaging is most people’s preferred communications channel. You should be prepared, though, to also send OTPs via voice call to meet the needs of customers who either lack a cellphone but do have a landline or who simply prefer voice communication.
Only someone with the user’s device, or more accurately their phone number, can successfully complete authentication with a one-time password, providing a strong measure of additional security.
Other options for 2FA
Alternatives for 2FA all have issues that make them less well suited for 2FA. Hardware tokens such as the Yubikey, for instance, are exceptionally secure, but they’re relatively expensive (especially compared to the zero added cost of a mobile phone) and easy to misplace. Biometric verification is hard to fool (but not impossible) but it requires hardware (such as a camera or fingerprint reader) that may not be available, along with software to verify the biometric measurement.
Finally, there’s the option to use a software authentication app, such as Google Authenticator. These apps run on smartphones and generate a numeric token that users have to enter to gain access to resources. Software on the server side, which runs the same algorithm as the authenticator app, checks that the number entered matches the expected number for the account. Authenticator apps are fine but somewhat complex. Rather than tap around to find the right app and the right account within the app, most people find it easier to have a unique code delivered right to them via text or voice message — and when you’re supporting thousands or millions of customers, ease of use means fewer support calls and lower costs.
Plivo’s SMS API and Voice API are excellent options for integrating OTPs into your existing applications. We’ve written use case guides on how to implement 2FA with Plivo APIs, either via .NET, Node.js, Ruby, Python, or PHP or by using PHLO, Plivo’s drag-and-drop low-code/no-code tool. See for yourself how easy it is to integrate Plivo APIs into your financial services applications — sign up for a free trial account.
