Online gambling laws aim to ensure that gaming is conducted honestly, competitively, and without fraudulent practices. In this regard, the major iGaming regulatory authorities always recommended online gambling platforms enable two-factor authentication for their end-users. Moreover, in January 2022, the use of two-factor authentication in iGaming has become mandatory.
The Divisions of Gaming Enforcement (DGE), including the NJ DGE, Delaware DGE, and Nevada Gaming Control Board, oblige iGaming platforms to enable two-factor authentication for their users. According to the DGE Cyber Security Best Practices, this step is necessary to reduce the risks of identity fraud, payment fraud, and charge back cases in iGaming since more and more online gambling websites experience hacking through fraudulent account access.
Protectimus two-factor authentication solution and OTP tokens are easy to integrate with any iGaming software using API, SDK, or an integration plugin. You can protect both the in-house infrastructure of your iGaming business and the end-users accounts with one MFA setup.
Below we explain how two-factor authentication works and what online risks it prevents and describe all the nuances you need to consider before implementing two-factor authentication to secure your online gaming platform and users.
Table of contents
- How two-factor authentication works
- Why two-factor authentication is mandatory in online gambling
- How to add two-factor authentication into your online gaming platform
- Best practices for implementing 2-factor authentication in iGaming
How two-factor authentication works
In a nutshell, two-factor authentication is a process that allows the users to prove that they are who they claim to be by presenting two different authentication factors.
There are three possible types of authentication factors:
- something the user knows – usually a password;
- something the user has – usually a one-time code from the OTP token;
- something the user is – usually a fingerprint or face ID.
Typically, a combination of a password (something the user knows) and a one-time code from the auth token or phone (something the user has) is used for 2-factor authentication. Protectimus allows delivering one-time codes via chat-bots in Messenger or Telegram, SMS, email. Also, the two-factor authentication apps and hardware authentication tokens are available. Read more about different two-factor authentication methods here.
Two-factor authentication is used in online gaming security to prevent phishing, social engineering, man-in-the-middle, and brute-force attacks. Even if a fraudster manages to get a user’s password, there is no sense in using it, as the user’s account remains protected with the one-time code valid for 30 seconds.
To check one-time passwords, a two-factor authentication server is used, which is integrated with the iGaming solution. The scheme of interaction between the authentication server and OTP tokens is presented below.
Why two-factor authentication is mandatory in online gambling
Since the popularity of online games began to skyrocket, attackers have focused their efforts on hacking poorly protected online gaming accounts. Credentials stuffing attacks, phishing, brute force, keyloggers, and social engineering are used to get fraudulent access to the gamers’ accounts and then use them for different malevolent activities that vary from payment fraud and identity fraud to money laundering.
Online gambling websites collect a lot of personal information from their players to verify their identity remotely. Unfortunately, this is precisely the kind of information needed for identity theft. There isn’t much difference between establishing your identity through the Internet for gambling purposes and establishing your identity as part of a scam.
Protecting all of this personal information is a prime consideration for iGaming websites because a release of personal information on a large scale could result in catastrophic losses for the business as well as legal issues if the online gambling website operates in a regime where breaches of personal information must be dealt with in a prescribed manner by law.
The best protection against such kinds of hacking attacks is two-factor authentication. Thus, almost any online gambling regulator or casino control commission requires online casinos and iGaming software providers to add two-factor authentication for the best internet security for gaming. It becomes impossible to get an online gambling license without implementing 2-factor authentication for the iGaming software administrators and end-users.
At the same time, adding two-factor authentication to enhance online gambling cyber security is beneficial for the online gambling companies themselves:
- The gamers’ accounts remain protected even if they become victims of phishing or credentials stuffing. Online casino users stop losing their personal data and money, which increases the level of trust in the iGaming platform.
- The number of support requests that need to be solved on an individual basis is falling, which saves the iGaming company time and money.
- The online gambling regulation and licensing authorities make sure that the iGaming platform is not used for any illegal purposes.
How to add two-factor authentication into your online gaming platform
It is strongly recommended to protect all the areas of your iGaming business with two-factor authentication. Start with the online casino administrators’ and finish with the end-users accounts.
Protectimus two-factor authentication solution allows adding 2FA everywhere you need at once:
- employees’ computers and webmail clients;
- the online gambling platform administrators’ accounts;
- the gamers’ accounts.
Use a combination of integration plugins to protect your corporate infrastructure (AD, Windows, macOS, Ubuntu, OWA, ADFS, RADIUS, etc.). And integrate two-factor authentication with your iGaming software via API or a software development kit for Java, PHP, Python.
Find the list of all the integration plugins and instructions on setting up the Protectimus two-factor authentication solution here.
Best practices for implementing 2-factor authentication in iGaming
1. Protect both administrators and gamers, but use different authentication policies
When setting up multi-factor authentication for the online gambling platform, it will be wise to enable different authentication rules for various groups of users. You may set stricter authentication settings for the online casino administrators than for the end-users. Also, you may use different types of OTP tokens for your team and online gamers.
The iGaming platforms administrators’ accounts must be well protected because compromising such an account will lead to a huge data leak and material and reputational losses for the iGaming company. That is why it makes sense to enable additional security features for this group of users. The list of advanced online gaming security features may include:
- geographic filters (allow access to the admins’ accounts only from selected countries);
- IP filtering (allow access to the admins’ accounts only from given IP addresses);
- time filters (allow access to the admins’ accounts only during business hours).
Also, you may oblige your team members to use only those one-time password generation tokens you consider the safest, for example, only hardware TOTP tokens. While for the end-users gaming online, it is better to give a wider choice of two-factor authentication methods.
2. Use cloud-based two-factor authentication for online gambling if possible
Protectimus allows its customers to either use a cloud-based two-factor authentication service or deploy an on-premise two-factor authentication platform on their servers. But we encourage the online gambling companies to otp for a cloud-based 2-factor authentication service as it is much more efficient and cost-effective:
- You save time as you don’t need to deploy several on-premise platform installations on several nodes to create a fault-tolerant system;
- You save money as you don’t need to purchase and maintain additional equipment to deploy the on-premise platform;
- You may change your tariff plan at any time without contacting the support team to issue a new license.
In case the laws of your state prohibit the use of two-factor authentication if its servers are not on the territory of this state, download and install the Protectimus On-Premise Platform. Our tech team is always ready to help you with the on-premise platform setup.
3. Give online gamers a choice from several authentication methods
As a rule, users show little enthusiasm when it comes to enabling two-factor authentication. A daunting challenge for the iGaming software providers, who implement 2-factor authentication, is to make it as user-friendly as possible.
In this respect, adding a possibility to choose from the number of authentication methods works well for the gamer.
There are several different one-time password generation and delivery methods. We recommend you make all these options available for the online gamers:
- 2-factor authentication apps (Protectimus Smart OTP, Google AUthenticator, etc.);
- chat-bots in messaging apps Messenger, Telegram, or Viber;
- hardware TOTP tokens (Protectimus Two, Protectimus Flex, Protectimus Slim NFC).
Please, note that SMS authentication is also an option for Protectimus customers. We can’t recommend adding SMS authentication for the online gambling platforms users, as there are doubts about its safety. Nevertheless, having SMS authentication enabled is better than having no two-factor authentication.
4. Encourage gamers to activate two-factor authentication
Come up with a plan on how you will make your end-users activate two-factor authentication for their online gaming security.
Start with an informational campaign. Explain to gamers how important it is to protect their online casinos accounts with two-factor authentication. Or better yet, reward them for enabling 2-factor authentication. For example, the Fortnite gamers get extra rewards for activating 2FA in their accounts.
When most of your users are on board with 2FA you can make it obligatory.
We would be glad to assist you with setting up two-factor authentication for your online gambling platform. Please get in touch with us with any questions you have via [email protected].
- 5 Steps to Prepare your Business for Multifactor Authentication
- 6 MFA Myths You Still Believe
- Top 5 Two-Factor Authentication Products by Protectimus
- On-Premise 2FA vs Cloud-Based Authentication
- TOTP Algorithm Explained
- The Pros and Cons of Different Two-Factor Authentication Types and Methods