Making two-factor authentication more user-friendly through trusted devices

Identifying a trusted device for two-factor authentication

  • A GUID (long string of random characters) stored in a cookie
  • A GUID stored in localstorage
  • The User-Agent header

What is the right policy for two-factor authentication ?

  1. Should I make two-factor authentication optional or required ? Making it required is obviously more secure, but some users can be uncomfortable with it. Note also that the “right” answer for you for this question might be in the middle, by forcing privileged users (administrators) to use 2FA, while making it optional for the other users.
  2. Should I provide 2FA via SMS or application ? If you can afford it (remember that SMS have a cost), I would say both, but note that 2FA via SMS has been proven less secure than 2FA via an application, as SMS can be intercepted, so the most secure way is via an application.
  3. Should I allow users to save trusted devices ? If you require high security, then no (for example, I wouldn’t want my bank website to allow me to do this). If however user-friendliness is more important to you, then you can do it, and save a trusted device for, for example, 30 days.
  4. Should I protect sensitive operations via 2FA ? Unless these sensitive operations need to be performed repetitively, there is no reason not to do this. Make a list of the sensitive operations of your system, and protect them via 2FA.

--

--

--

Développeur web et passionné de finances personnelles

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Case For Cognyte Software (CGNT)

Semperis Announces New Dates and Preliminary Speaker Lineup for Hybrid Identity Protection…

What data-driven businesses need to know about the GDPR

5 Steps to Creating a Strong Business Security Plan — Source 1 Solutions

Are “Smartphones” the new REMOTE?

1MillionNFTs Project Review

Sportium Token Sale with Impossible Finance

GoPlugin bounty contest 2021

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Guillaume Viguier-Just

Guillaume Viguier-Just

Développeur web et passionné de finances personnelles

More from Medium

Simplified Authentication: Set Up GSSAPI SPNEGO authentication with Kerberos

DevSecOps -FOD with Jenkins DSL

Pote de Mel

ArgoCD + Minikube + Ngrok + Github Webhook