Over a drink at a recent meetup event, a savvy online developer seemed to think that two-factor authentication is a valid replacement for CAPTCHA. We’ve had a number of conversations like this recently and it’s troubling. It illustrates that even professionals in the online security field do not understand the inherent differences in how the two technologies should be used. Essentially: they solve very different problems.
Two-factor authentication (referred to as 2FA) is a security process that combines two security components to properly identify an individual looking to carry out a task — usually when logging into a secure account or performing a specific action within a secure account. For example, your bank may send an approval code to your phone when you send a large money transfer. It is used to doubly verify that you are authorised to perform that action.
It does not prove that there is a human completing this action. In fact, two-factor authentication is quite easy to bypass with bot automation. Our white hat partners have illustrated just how easy it can be to acquire the phone numbers necessary to automate abuse.
Take this example: you’re a ticket scalper looking to buy tickets in bulk for an upcoming show. If there is no CAPTCHA, all you would have to do is login once to each account (complete the 2FA if required, or automate that also) and then have your bots use those accounts to snap up as many tickets as possible. Without a CAPTCHA preventing the bots from accessing the actual ticket sales pages, 2FA is no help at all to preventing the tickets being purchased faster than humans can complete the same actions.
But CAPTCHA is a test to provide human verification and a good CAPTCHA will prevent bots from automating such actions.
Other concerns when considering 2FA as a CAPTCHA alternative are conversion and privacy. Not everyone will want to provide a phone number, or install an authentication app for each new website they visit. Conversion rates plummet when 2FA is implemented, which is bad for business.
When considering security for your web business, ensure that you understand the primary strengths of all available options. Two-factor authentication is not a valid replacement for CAPTCHA, whenever privacy, conversion or human verification are priorities.