Braintree has supported SMS and authenticator app two-factor authentication in the Control Panel since 2015. As part of our ongoing mission to keep your data secure, Braintree is pleased to announce that we now support hardware two-factor authentication (H2FA) in the Control Panel, providing a new way for merchants to help keep their accounts secure. In this blog post, we’ll outline how merchants can get started with H2FA.
Two-factor authentication is a crucial tool for helping protect merchants from unauthorized account access, typically by requiring a time-sensitive code during sign in. It is effective against various forms of phishing attacks, where malicious actors trick users into giving them login credentials. These threats are becoming increasingly sophisticated and are one of the most common causes of security breaches.1
Traditional two-factor authentication methods, like SMS codes and authenticator apps, offer protection against basic types of phishing attacks. However, the generated codes can be vulnerable to interception.
The protocol used by hardware tokens -- FIDO’s U2F in our case -- is designed to protect against malicious interception and is proven to be more effective than SMS codes and authenticator apps.2 All merchants are encouraged to enable H2FA to speed up the login process and increase protection against phishing.
The security key
H2FA security keys can have many forms, including thumbdrive-like plugins, fingerprint readers, browser-supported Android devices, and Touch Bar enabled Apple devices.
When a user activates H2FA, the specific key used is linked to their user account. On subsequent logins, the user will be prompted to insert and activate their security key, which will then generate a secure code for authenticating the user. This fast, easy authentication method doesn’t require the user to open an app or check their phone for a text – just plug in your key and go!
Enabling H2FA in your account
For instructions on how to use hardware 2FA and log in with your key, see our 2FA documentation.
For more information about FIDO standards, check out The FIDO Alliance’s documentation and press release. If you’re interested in learning more about the effectiveness of H2FA against account takeover, read more in this 2019 study.
To learn more about the support of hardware two-factor authentication, contact us.
New research: How effective is basic account hygiene at preventing hijacking, Google, May 2019. ↩