In 14 September 2019, Europe adopted the PSD2 payment standard which require multiple owner checks ( https://ec.europa.eu/info/sites/info/files/business_economy_euro/banking_and_finance/documents/190621-eba-opinion-strong-customer-authentication-statement_en.pdf ).
In order to be
PSD2 compliant, the payment gateway providers are obligated to integrate multi factor authentication methods. The most common authentication methods are:
1) Username + password loginThis authentication method is implemented by almost all websites from the internet. To make the authentication check more secure, most web and mobile applications ask the users to confirm their identity by sending a verification email. This email usually contains a link where users are required to click in order to confirm their identity. But this lead to many phishing campaigns, and that's why it was decided that a multi factor authentication is recommended.
Google recommends using stronger hashing algorithms such as
SHA-256 and
SHA-3 for storing passwords into database. Other options commonly used in practice are
bcrypt, scrypt, argon2. We recommend you to encrypt all sensitive data that is stored into the database.
2) OTP (One Time Password)Because the email validatin can lead to phishing attempts, most web and mobile apps are also requireing an extra check, and the one time password is used in most cases.
The one time password can be sent via SMS, email, chat applications or mobile apps.
3) Biometric authenticationStarting from 2019, fingerprint, face recognition and typing biometrics are allowed as a multi factor authentication step. Almost all smartphones offer fingerprint authentication or face recognition. It's easy to integrate the smartphone capabilities as a multi factor authentication step.
4) Hardware authentication devicesHardware authentication is an approach to user authentication that relies on a dedicated physical device (such as a token) held by an authorized user, in addition to a basic password, to grant access to computer resources.
For example, the YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor and
FIDO2 protocols developed by the FIDO Alliance.
There's no better way to secure your online accounts than to use hardware-based two-factor authentication (2FA).
Security keys are easy to use, put an end to phishing attacks, cheap, and are less hassle and much more secure than SMS-based two-factor authentication. And the good news these days is that you can get security keys in a variety of formats: USB-A and USB-C, Lightning for iPhone users, and even keys that use Bluetooth.
5) Other authentication methodsOAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
You are using OAuth everyday without knowing about it, everytime you login using Facebook, Twitter, Github, Yahoo or Microsoft, you are using the OAuth standard.
Conclusion
We created a list of over 5 authentication methods, but the title refers to the
Two Factor Authentication (2FA). Our recomendation is to implement at least two factors of authentication and to require all users to use these two auth factors.
The most secure authentication method is using a hardware authentication device, but, fingerprint and typing biometrics can also be used as a very secure authentication method. There are free OTP mobile apps that you can use, but no matter what you do, if you are storing password into the database, please use a strong encryption algorithm for storing sensitive data.
Payment gateway providers are obligated to integrate multi factor authentication methods, but all website and mobile apps owners are required to create a secure environment for their users. In order to protect their data, everyone (from bloggers to businesses and top 500 companies) should consider to integrate Two Factor Authentication (2FA) into their web and mobile apps.