American Marketer


Making the most of mobile 2FA

September 25, 2015

Punit Shah is cofounder and chief product officer of CallFire Punit Shah is cofounder and chief product officer of CallFire


By Punit Shah

Two-factor authentication – or 2FA – is a way of doubling down on your online account security. It requires a combination of two credentials before access is granted, usually a PIN or password, and a code sent to your phone via SMS. The rule of two is: something owned, something known.

Electronic multi-factor authentication has been around for a long time, necessitated by the rise of the ATM, which could only authorize cash withdrawals if the correct combination of something owned (a bank card) and something known (a PIN) was provided.

As we move more of our personal data to the cloud, the risk of exposure to cyber criminals, and with it the relevance of 2FA, increases.

How mobile enhances 2FA
The proliferation of mobile technology has made 2FA more efficient.

Everyone carries their phone with them and, unlike an ATM card that may only be used once a week or less, the theft or loss of a primary mobile device is usually spotted in short order.

Dynamically generated passcodes are different with every log in, making them superior to PINs. Users can even set the maximum permitted number of incorrect entries according to their requirements.

Though there are some disadvantages to phone-based 2FA, constant and often dramatic improvements in mobile technology are rendering many of the risks negligible, or solving them altogether.

Battery life, for example, has gotten to the point where even the most avid swipers and scrollers can expect to make it to the end of the night with a charge.

Network coverage has also drastically improved.

Add to that the security measures native to phones, such as PIN locking, and a lot has to happen before fraudulent ambitions can be realized.

Getting the most out of mobile 2FA depends on your willingness to take the extra time to ensure optimal security. It is not impervious to hackers, but it removes the more opportunistic among them from the equation.

Elephant in the room: Recovery
Committed hackers can use any number of tactics to thwart 2FA.

Common examples include phishing and malware, but 2FA’s Achilles’ heel is account recovery, which is the feature allowing you to reset your password and log in using a temporary one.

The problem with account recovery? It bypasses 2FA altogether.

The answer to the account recovery problem could lie in establishing one combination of 2FA for logging into an account, and another combination for recovery.

Implementing four different, secure factors is a tall order, but biometrics and voice recognition technology – both of which are improving in terms of reliability and availability – could hold the key.

For instance, capturing a customer’s unique thumbprint or facial scan upon sign up can be used as the second verification when that customer is trying to authenticate themselves during the account recovery process.

That way, additional information on the user is required, and hackers cannot use one source of stolen information (i.e., an email address/password combination) to break their way in to other accounts.

Why 2FA still works
This combination of factors makes it harder, though not impossible, for fraudsters to gain access to an account without hacking each level of identity verification.

For instance, JPMorgan Chase’s large data breach a few summers ago was due to the fact that its security team failed to upgrade one of its many servers to two-factor authentication.

We have seen a big increase in the amount of logins that include biometrics and similar authentication processes, and these methods will only evolve as cybercriminals continue to find ways around current security measures.

AS WITH ALL digital security measures, the more widely-used 2FA becomes, the more aggressively it will be attacked.

One thing will never change: thieves, like electricity, opt for the path of least resistance. That is why, when it comes to your online security, imperfect 2FA is far superior to perfect indifference.

Punit Shah is cofounder and chief product officer of CallFire, Santa Monica, CA. Reach him at