Two Step Verification and Internet Security
Security is more than just a buzzword. When you run an online business, you have to be able to protect information: your own, and that of your customers. This particularly raises concerns when you provide e-commerce options on your site. Customers who purchase from you need to know that no one can hack in and steal their personal or financial information.
Part of this means setting up basic site construction to protect data. An https designation to authenticate your site is a good start, and using data encryption and other techniques can provide some assurances to your customers. Still, large-scale data breaches in recent years have struck Anthem, the United States Office of Personnel Management, Ashley Madison, and Target; these tactics are useful, but not enough.
While hackers might never be fully stopped, a two-step verification process for your customers can provide an important safeguard to help ensure the people logging in on your site actually are who they say they are. When you set up this log-in system, you can accomplish two important pieces of your security puzzle: you help make your customers’ data more secure, and you do so in a visible enough way to create confidence in what you are doing to protect them.
How Does 2-Step Verification Work?
Two-step verification has existed in some form since 1984. It essentially requires two things before someone can access an account: a physical object and information. The most common example that people use in everyday life is probably an ATM card, since to use it to directly access a bank account, a person needs both the card (the physical object) and a PIN (the information). Even with the use of credit cards online, many sites still require both the card number and the security code on the back, a process that still seeks to require separate components to ensure the financial data of the shopper remain secure.
As criminals have become more savvy, companies have worked to make the safeguards in the process stronger. Most larger e-commerce providers have clued in to the need to enforce a certain level of password strength. Passwords that are easy to guess include single words, dates, names, and common offenders like “1111,” “1234,” “9999,” and “password.” You want at a minimum to require numbers and upper- and lower-case letters, just to keep people from guessing your customers’ passwords and accessing their information. Enough people ignore the security risk that approach entails for you to need to force the issue.
Unfortunately, these steps are not enough. Hackers include some of the brightest minds in the world, and they have chosen to focus their skills in destructive directions. To combat this, you need to avoid relying on a stationary target. However cleverly concocted that target may be, information that sits in a database without changing will always be susceptible to those who would seek to obtain it.
Two-step verification as companies use it today introduces an additional roadblock to protect this information. It does so by using the username and password only as the first piece of information someone needs to log in. You should still require a strong password here, but once the user enters that information, your site requires additional information: a fluid password that the user receives on his or her smartphone or tablet. The password, often a six-digit number, works only once; each log in requires a new, randomly-generated number to access the site.
This process creates four layers of security to ensure the right person accesses the site. The username should be something the user chooses, so you can avoid patterns that someone can identify and use to get in. The second, of course, is the password, which again should require some combination of upper-case, lower-case, numbers, and symbols to prevent easy guesswork.
This, by itself, has represented the industry standard security layer for a long time. An additional layer many sites provide now is a set of “security questions,” which require users to establish and answer one or more questions to prove their identities even after the password is set up. These have the advantage and disadvantage of being personal to the person who sets them up; if identity theft comes from someone knowing the person whose identity is stolen, it may not be difficult to guess the correct answers to the questions.
A strong two-step verification process adds two more layers instead. The first is the randomly-generated passcode, which eliminates the opportunity to guess at answers to common questions. No one can know ahead of time what number will be generated, making for a much more secure input. Further, this diminishes greatly the potential for human error thwarting your security efforts; because the number changes every time, there is no danger of someone writing it down, carrying the number with him or her, and unwittingly revealing it later.
Finally, the fourth layer of security this process creates comes through the device itself. Two-step authentication requires customers to keep a device present, usually a smartphone, to access their accounts. The customer sets the device to which information will be sent, and sends codes to that device to help prevent fraud or theft. Smartphones have become prevalent enough in both number and use that this goes a long way toward ensuring the device customers need will always be on their person.
Why Is It So Important?
Some users hate the layered security process that two-step verification provides. They just want to get to what they need without the hassle of remembering a unique username and password, then pulling out their phone to retrieve another code. They prefer one step, in which they can save their passwords to a site and apply one click to access shopping or data or anything else.
The dilemma we face in many areas of life is how to balance convenience and protection. In the world of online transactions, customers’ expectations often tilt toward the former much more than the latter. They expect fast load times and fast access, and tend not to think too much about the security of what they enter. Instead, they focus their attention and sometimes their ire on issues like prompt delivery or the convenience of the online interface.
Unfortunately, this desire for convenience does much to exacerbate the problem of faulty security online. Many users use the same password for multiple accounts, despite the multitude of reasons not to do so. Many also write their passwords down, save them on their computers, or select easy to remember passwords that unfortunately function as easy to guess passwords as well. As a result, people make it very easy for hackers and identity thieves to steal their information, access their personal and business accounts, and otherwise interfere in their lives.
This represents enough of a problem for your customers. When you allow their behavior to lead to a foreseeable risk of compromising their data, though, you also face the potential for losing their business, as well as losing goodwill and reputation for your own business. Setting up a single layer of security leaves much of the work of protecting customer information with the customers themselves—a group that will often prove unwilling or unable to take up that task.
With this in mind, establishing a two-step verification procedure can go a long way toward overcoming the unsafe behavior of those you cannot control. No process is foolproof, but this can allow you to give some assurances to your customers that you are working to keep their data and their money safe. It delivers the message for you in a very visible way, providing the feel of security along with the fact of it. This dual effect is critical. Any security lapse can do damage to your company, and any accurate assurance you can provide your customers will help strengthen your relationships with them and their willingness to continue to do business with you.
The task of creating secure protocols can get in the way of your customer satisfaction, particularly when you first implement it. Customers tend to dislike change, and when that change effectively slows down what they want to do, you can encounter confusion and annoyance. And at first, many will struggle with the technology involved, no matter how clearly you explain it. Someone who has to pull out a phone every time he or she logs in will sometimes get frustrated, and will likely tell you all about it.
In addition, part of the frustration your customers may express is a belief that all of these efforts will not fully prevent the most sophisticated of attacks. The smartest hackers can circumvent a two-step verification process. It takes more time and effort, and generally only involves the biggest, most lucrative targets, but there is no perfect security process. In fact, many of the large-scale database infiltrations that have occurred in recent years involve sites that have some kind of two-step verification in place. Some people understandably get annoyed when they are asked to take extra steps when they don’t perceive a benefit resulting from those steps.
To overcome these kinds of objections, begin with open communication. If you start your website out with a two-step process, that should head off some of the aggravation people might feel when you switch from a simpler system to a more complex one. But if you are making a change, you should take the time to call attention to what you are doing, and why. Any time you appear to be shrinking from a change, people interpret your reticence as an attempt to hide something. You want to get in front of what you are doing and give a direct message before your customers can infer something else.
When you deliver the message, be as direct as possible. Tell your customers on your website, and in your physical store if you have one, that you are moving to a two-step verification process to protect their privacy and their money. Explain how it works, and assure your customers that it is a proactive move to enhance their security, rather than a reaction to something that went wrong.
By getting in front of the change, you can shape and frame your discussion with your customers. You never want to be in position to play defense when your customers’ opinions about you are involved. You make this kind of move to protect them, and when you wait for them to reach their own conclusions about your motivation for change, few will reach the conclusion you wish.
Finally, don’t hide from the potentially negative aspects of the change. You don’t want to pretend there will be no inconvenience or let your customers believe you have not thought about the concerns they may have. Acknowledge that the process can be slightly more cumbersome than the password-only approach, and come out and tell them you cannot guarantee nothing will ever go wrong. Encourage them to treat their long-in data carefully and work to protect their own information. But let them know this creates a step that can help prevent many kinds of identity theft, and makes it much harder for anyone to get into your system.
Maintaining Flexibility and Vigilance
Finally, avoid becoming a slave to the processes you have created. The world of identity thieves changes constantly and adapts to what lies before it. The point of a mutable security ID is to adjust to this by maintaining a constantly moving target for would-be hackers. Similarly, you need to monitor your website’s security consistently. Use encryption and secure html coding to the fullest extent possible, and learn as much as possible about new and emerging threats to your website and attacks on other companies in your industry.
Additionally, you cannot ignore older kinds of threats just because you have a new security process. Let your customers know what address you will use for any emails that originate from your company. Every day, phishing scams launch hundreds of thousands of emails that use accounts designed to mimic company names. They ask email recipients to click on a link that downloads malicious software, or send personal information they can use to access accounts. Two-step verification can prevent some of this, but the potential for problems never fully goes away.
When you talk about security with your customers, you do more than merely bring them into the discussion; you get them thinking about security issues as well. Some security breaches cannot be prevented, but the vast majority can be. You want your customers to be your allies in this, and to know what they can do to help you protect their personal data. The more everyone is invested in the process, the more effective it can be for both you and the people who rely on you.
Building Security into Your Web Design
When you design a website, you need to do so with the full customer experience in mind. A site with an https: designation, fast load times, rich content, and easy navigation will help you get far, but if you cannot protect your customers’ data from hackers, the rest does not matter. The security measures you take should be visible enough for your customers to appreciate them, but effective enough to back up what you show them.
Like your Internet marketing campaign, your website security is an ongoing enterprise. When you operate a business, you need someone you can rely on to help keep your site safe. 1st in SEO starts by providing you a well-designed, secure website. We can set you up with a two-step verification as part of any e-commerce you run through your site, enhancing your security and giving your customers visibility into the ways you are protecting them.
Moreover, we understand that security only begins at web design. We monitor your site performance and unusual activity on your site, helping you stay on top of potential issues before they get bigger. We understand both the proactive and reactive measures you need to take to protect yourself and your customers, and we help you do so for as long as you work with us.
When you choose an SEO marketing company, you should make sure you are working with someone who understands thoroughly how to get your site ranking highly, but also how to protect you from damage to your reputation with your customers. Contact us today, and we will make sure your website looks good and operates securely.