With 2-Step(also called Two-Factor) Verification, you protect your account with your password and one additional factor - Phone call verification, SMS tokens, smartphone app-based verification methods, or hardware tokens.
What you know, what you have and what you are!
|1-Step Verification (something you know)||2-Step Verification (something you have, someone you are )|
|Password, Pin||Biometrics, Authenticator App, Hardware Token (keys), Phone Call, SMS, Email Tokens|
To understand what knowing something and having something mean in the context of security, let's take financial transactions with credit/debit cards as a classic example. A credit/debit card is something you have, it has a physical form, and you carry it with you. Similarly, the 4 or 6 digit PIN you need to enter in ATM or POS transaction is something you know.
Let me give you another example. For a Google account, my password is "supersecret123", and the security question that verifies my identity when I forget my password is, "What is your pet name?" for which my answer is "BojoMojo". These two values, my password and answer to security questions are something that I know. I have enabled 2-Step Verification for my google account, and I use my mobile phone as a verification device. In this case, my mobile phone is something I have.
In short, passwords, PIN codes, security questions are something we know. Biometrics(facial recognition, an iris scan or, more likely, a fingerprint), physical devices like cards, mobile devices, hardware tokens are something we have or what we are. A bad guy can guess that my password is "supersecret123" or trick me into giving up my PIN. Still, he will never be able to steal a hardware token that I always carry in my wallet. A hacker has to compromise both your password and additional factor to gain access to your account.0
Why is 2-Step Verification needed anyway?
Let me tell you this; It's easier than you think for someone to steal your password.
- Using simple guessable passwords,
- Phishing: Where hackers impersonate a website and trick you into entering your email and password to log in.
- Direct hacking: Where hackers trick you impersonating a support officer from your bank or internet service provider to gain access to your account or steal a password,
- Password leak from account data breach and countless others.
These are just an example on how anyone can steal your password. Trust us; there are countless more ways to steal your password. 2-Step Verification can help keep bad guys out, even if they have your password. Even Microsoft says 99.9 percent of attacks on your account can be blocked by 2-Step Verification.
The infamous iCloud leak of celebrity photos, where hundreds of private pictures of celebrities were leaked online, would have never happened if they had used 2-Step Verification. In 2017, even one of the famous Big 4 consulting firms, Deloitte, was hit by a cyberattack, the culprit? They did not use 2-Step Verification!
Aren't password managers enough?
We also hear a common question: "I use a strong password and password manager, so I do not want the hassle of 2-Step !". Password managers are an indispensable arsenal in account security. However, it still is at the mercy of the user who is using it. Bad guys can easily trick you into giving up a password from a password manager.
Also, despite using a password manager, which can generate a unique password for every service you use, it is found that many people are not using those features. Most people use password manager only as a password autofill tool (we often forget passwords, don't we?) and not as a security tool. Remember, if you use the same password on every account, you are also prone to password leakage from a data breach.
"We recommend that you use both password manager and 2-Step Verification."
Understanding market jargons
2-Step or Multi-Factor Authentication?
2-Step is often confused with Multi-Factor Authentication. Multi-factor simple means different("multi" Duh!!!) ways of verifying your authenticity. These includes face id, touch id, one time password, hardware token, iris scanner etc. A Multi-Factor Authentication can be 1-Step (single step). But Multifactor is often used as a second step for 2-Step verification.
2-Step or Two-Factor Authentication?
Two-Factor Authentication means using two different authentication factors, often the first factor as password or pin and second, being any one of multiple factors. 2-Step Verification and two-factor authentication are often used interchangeably, but 2-Step Verification is the correct term.
Passwordless authentication or 2-Step Verification?
If you prove your identity without entering a password, it becomes a passwordless login. Passwordless authentication aims to remove the usage of passwords. Though it is secure method than passwords based login, it is still a single-factor 1-Step authentication. Combining both password and passwordless verification in a 2-Step Verification method is one of the most robust combinations for account security. In fact, all of the prevalent factors used for the second step of 2-Step Verification are passwordless.
Which factor should you use for 2-Step?
It should be clear by now that the second step in 2-Step verification is performed by something you are (biometrics) or something you have (Mobile device, Smartphone app, hardware tokens). But which factor should you use?
As mere mortals, the more options we have, the more confused and decisive we get! Before we elaborate further, never-ever use or opt-in for SMS-based factor for second step verification. It is one of the weakest factors among all. If possible, use U2F or its variant, especially prompt-based verification where the smartphone app asks you to approve for access. We recommend it because this factor has the perfect balance of high security and privacy.
- Prompt-based authenticator apps (👍✅🚀): Service provider will prompt you to approve the login attempt. You will approve the login by clicking on approve button. If you deny, the login attempt will be canceled. Google Prompt, Microsoft Prompt are examples of Prompt-based authenticator apps. This type of factor is what we recommend to use as the second factor in the 2-Step Verification process.
- Hardware tokens(👍✅): Best in terms of security, but many find it hassle to carry extra devices every time. Yubikey, Google Titan keys are examples of hardware tokens used as the second factor in the 2-Step Verification process.
- Biometrics(👍): Secure enough, but it comes with the cost of risking your privacy. Apple Face id, Touch id are examples of biometrics-based verification factors used in the 2-Step verification process.
- TOTP Authenticator apps (👍): Secure enough that generates one time code every 30 seconds. But you will need to enter generated codes for verification which is prone to phishing attacks.Google authenticator, TRASA authenticator, Microsoft authenticator are examples of TOTP authenticator apps used in the 2-Step Verification process.
- Telephone-based (👎❌☢️): Worst of all, it has all the risk of SIM swapping and comm tapping. Phone calls and SMS-based verifications are examples of the telephone-based factor used in the 2-Step Verification process. AVOID THIS METHOD AS MUCH AS POSSIBLE!
We will be writing soon to enable 2-Step Verification to protect your online accounts such as Google, Microsoft, LinkedIn, and more. Stay tuned and subscribe to our newsletter.