As we go about our online lives, many of us have considered enabling two-factor authentication (2FA) or two-step verification (2SV) on our accounts. Both measures introduce another element into a service’s login process. For that reason, plenty of reputable sources online have left the impression that there is no difference between the two concepts.
But those reports are wrong.
In this article, I will put to rest the difference between 2FA and 2SV.
What is an authentication factor?
Before we explore the difference between 2FA and 2SV, it is important to first touch upon what happens when we sign into an account.
Each login process depends upon the user submitting an authentication factor, or asSearchSecurity puts it, an “independent category of credential used for identity verification.”
Authentication factors come in three different types: knowledge factors (“something you know”), possession factors (“something you have”), and inherence factors (“something you are”).
The weakness of the password
Most online accounts today are configured to support single-factor authentication (SFA) by default. Those accounts more often than not require that a user submit a knowledge factor in the form of a password.
By now, we’re all familiar with how inadequate passwords can be for protecting our accounts.
This insecurity rests with the demands of robust password security: first, users must accept the onus of creating long, complex passwords that are unique for each of their accounts; and second, they must either commit those passwords to memory or store them somewhere safe; and third, if a site is compromised they need to change their passwords to similarly long, complex combination.
All these steps have certain costs.
Humans are notoriously bad at dreaming up passwords that are sufficiently strong and hard to crack. Fortunately, some password managers such as Dashlane, LastPass and 1Password have the ability to generate strong passwords for a user.
Humans typically find that “secure” passwords are difficult to remember and take time to manually enter character-by-character on a keyboard. To respond to that difficulty, there are now a number of password managers that store and auto-fill users’ complex passwords via browser extensions. However, many of these services require a paid subscription – something in which some users might not want to invest.
Finally, changing passwords after a security scare is a time-consuming burden. Usually is not an automatic process, although some password managers are beginning to offer such functionality on a growing but nevertheless select list of sites.
For all of these reasons, users may choose to skimp on their password security. Web services recognize this tendency. Some have opted for more secure forms of SFA, such as biometrics. Others have responded by implementing 2FA or 2SV. A select few have done both.
2SV: An expansion of SFA
Two-step verification is perhaps the easiest way by which web services can respond to the costs of password-based SFA. A common manifestation of this feature (if activated on an account) proceeds as follows: when you enter in your username and password, you are then sent a one-time code via email, SMS, or phone call to your computer or pre-verified device. You must enter in that code within a specified amount of time in order to access your account. If you don’t, the code expires, and you will need to have another code sent to you.
As a user called “tyler1” notes in a discussion forum on StackExchange, this method of signing in may at first appear to be two-factor authentication.
But it isn’t.
Even though you yourself do not know the code beforehand, the code is not fundamentally different from the password. In fact, they belong to the same authentication factor: both are pieces of information, that is, “something you know.”
With this in mind, two-step (or multi-step) verification simply expands SFA by requiring that the user submit several distinct verification occurrences that all fall under the same one of the three authentication factors discussed above.
And, as we have seen in recent malware attacks, it is becoming for malware to intercept a two-step verification tokens as it is transmitted to the user and share them with criminals.
2FA: A whole new ballgame
By now, you might have an idea as to how two-factor authentication differs from 2SV.
Rather than building upon SFA, 2FA requires that a user enter two distinct verification occurrences that each belong to their own separate category of credentials. This may take the form of a user entering a password (“something you know”) followed by depressing their thumb on a fingerprint scanner (“something you are”).
It may also consist of the stuff of spy thrillers: someone swipes their keycard in a door-locking mechanism (“something you have”) and then has their irises verified by an eye scanner (“something you are”).
Quintessentially, two-factor authentication hinges on the reality that it is more difficult for an attacker to compromise two authentication factors rather than just one, such as the knowledge that is required for someone to enter their password and a generated SMS code. With that in mind, it is reasonable to say that when implemented properly, 2FA is more secure than 2SV in-so-far as it introduces an additional factor of authentication.
There you have it. While two-step verification merely expands SFA by requiring two distinct verification occurrences of one authentication factor, two-factor authentication requires two occurrences that each falls under a different different category of credential.
Now that we know understand the difference between 2FA and 2SV, it’s important that we see both them in action. Towards that end, I will walk through how you can set up two-step verification on your Google account in an upcoming article.