Securing a web business has never been hard as now. As a web business owner or developer, you may have added several mechanisms to combat hacker from stealing passwords. To access a membership site, you probably implemented username and password checking together with several anti-hacker solutions, like checking last ip, checking logs for suspicious activity, etc. But still passwords, shared computers, passwords in e-mail are your weakest part in overall security.
I want to show how you can add more security to your web site, as a general algorithm. In my example, I will point to phone verification, but it’s also possible to do it with reverse phone verification or sms verification.
Your current flow is possibly as this way, providing you a one point to check the user
- Display login form
- Get username and password
- Check username and password from database
- If matches, give access
I do not suggest you to change this flow, it will be same. But I will suggest you to add another step, to get a two factor authentication with otp (One Time Password) tokens, tokens to be announced on the phone:
- Display login form
- Get username and password
- Check username and password from database
- If matches, start a phone verification to the number on file
- Ask for the “token”/”pin” that’s announced on the phone
- Check entered pin
- If matches, let the user access
With this method, you’ll have a real two factor authentication and a second password token that is generated on the fly; cannot be stolen by a third party.
Check out a live Phone Verification Demo at onverify.com. Drop us an e-mail to get ideas, and implementations. We like to hear and help.