2 Factor Authentication for websites
Two Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token - in our case, a phone. A phone that has a traceable phone number assigned to it.
The following tutorial will explain how to set up 2 Factor Authentication for your new or existing web site.
First of all, login to your account and find the 2 Factor Authentication screen:
- Click on the "Applications" tile:
- Once on the Applications page, click on the "2 Factor Auth" tile:
- Once on the "2 Factor Auth" page, click on the "Create New" button.
Here are the options you will see:
Here's an explanation on the various options available:
1. Name : name of this Two Factor Authentication instance
2. Description : a brief description
3. CallerID : This is the CallerID that will be used when placing outbound calls (if outbound calling is enabled) .
4. SenderID : This is the SMS/Texting SenderID (From number) that will be used when sending out SMS/text messages. Please note that for US/Canada you would have to have a SMS enabled phone number in your account before you can select this option.
5. Allow Dialing : This option will give your end-users/visitors the option to verify their phone numbers by receiving calls . When set to "Yes" another set of options will show up. Scroll down for description.
6. PIN Length : Pin length , by default 4 characters
7. POST URL : This is one of the most important options you can set : This is the URL we will use to send you the authentication/verification information. This is all server side so your end-users will not know about this URL.
8. Local Post URL : This is the URL that our applet will be posting to on the client-facing interface (so your application can further process his signup or login actions)
9. DIV ID : Our 2Factor Authentication app will use this div id to populate the drop in UI (User Interface). This should further be defined in the HTML code of your page as an empty DIV .
For example, if you set DIV ID to be "2fa" , then you should edit your login/signup page and add an empty div such as this :
. This is where the 2FA applet will show up.
10. Authenticate Type : You have two options: "Post URL" (which will trigger a call to the URL/option we explained above at "7. POST URL") , and "Enable Directly" , which will just allow the form to further post to "8. Local Post URL" (less secure)
11. Domain : You can and should restrict this to the domain your website uses. If your website is www.test.com, then please restrict the use to this domain so that the 2FA app only works on this domain.
12. Show Captcha : This option controls the display of Captcha on the drop in 2FA user interface.
13. Maximum retries: How many retries should we allow per visitor?
14. Unique Identifier : This is the Unique identifier that you will use for this 2FA drop in applet. We will explain how to use this later on (keep reading this article :) )
15. Maximum SMS retries : How many times should we allow the end-user to retry sending the SMS?
16. Maximum call retries : How many times should we allow the end user to retry calling his number?
17. SMS Message : Allows you to send a configurable SMS message (option not available yet)
18. Help Link : This will be the help link displayed on the 2FA drop in applet. If none specified, nothing will be shown.
When "Allow Dialing" is set to yes, the following options will become available:
Here's an explanation on the additional options:
1. Audio Choice : lets you choose how user will be provided with his authentication PIN number. Available choices are TTS and Audio . Selecting Audio will hide options "Text to speech" and "Text to speech language" and replace them with "Prerecorded audio voice" (what kind of voice should we use?) and "Prerecorded audio voice language", as shown below:
2. Text to speech : if Audio choice is set to "TTS" , then this is the test that the TTS engine will read back to end-user (TTS charges apply).
3. Text to speech language : This will be the language in which the Text to Speech will be read.
4. Allow extension dialing : If set to yes, end-user will be allowed to also input his extension number (so you can reach end-users behind IVRs, rather than just end-users having direct phone numbers)
5. Maximum call rate : Since you are paying for the outbound calls , you also have the option to limit the cost per minute associated with these calls. You probably do not want your end-users authenticating themselves using Satellite phones (that would be very expensive, ouch!)
6. Wait for hello : If set to "No" , our system will read back the pin number as soon as the call is answered. If set to "Yes" , our system will first wait out for the first hello (improves deliverability somehow, but can lead to some users abandoning the call before they hear the PIN number - typically about 3% of users abandon the call before hearing the PIN when this option is enabled).
Once you're done with all these options, just click on the "Submit" button. Remeber the "Unique Identifier" we said we'd explain later on? Now is the time to use it (Notice "WHATEVERID" in the script below?)
Here's how you would implement the two step authentication on your website:
And this is what you will be seeing when opening up that page:
While end users would start typing a phone number, the country would start showing up:
For US numbers:
For UK numbers:
End users can now click on "Send SMS" or "Phone Call" . Once they receive their SMS/Text messsage or Phone call, they can type it in and then click on "Verify".
If set , we will be posting that information, along with "WHATEVERCUSTOMERID"