Two-factor authentication (2FA) versus two-step verification (2SV)

[mona]

 

Two-factor authentication (2FA)

versus

two-step verification (2SV)

 

What's the difference between 2FA and 2SV?

And which is better?

 

 

 

 

As we go about our online lives, many of us have considered enabling two-factor authentication (2FA) or two-step verification (2SV) on our accounts. Both measures introduce another element into a service's login process. For that reason, plenty of reputable sources online have left the impression that there is no difference between the two concepts.

But those reports are wrong.

In this article, I will put to rest the difference between 2FA and 2SV.

What is an authentication factor?

Before we explore the difference between 2FA and 2SV, it is important to first touch upon what happens when we sign into an account.

Each login process depends upon the user submitting an authentication factor, or asSearchSecurity puts it, an "independent category of credential used for identity verification."

Authentication factors come in three different types: knowledge factors ("something you know"), possession factors ("something you have"), and inherence factors ("something you are")

The weakness of the password

Most online accounts today are configured to support single-factor authentication (SFA) by default. Those accounts more often than not require that a user submit a knowledge factor in the form of a password.

By now, we're all familiar with how inadequate passwords can be for protecting our accounts.

This insecurity rests with the demands of robust password security: first, users must accept the onus of creating long, complex passwords that are unique for each of their accounts; and second, they must either commit those passwords to memory or store them somewhere safe; and third, if a site is compromised they need to change their passwords to similarly long, complex combination.

All these steps have certain costs.

Humans are notoriously bad at dreaming up passwords that are sufficiently strong and hard to crack. Fortunately, some password managers such as Dashlane, LastPass and 1Password have the ability to generate strong passwords for a user.

Humans typically find that "secure" passwords are difficult to remember and take time to manually enter character-by-character on a keyboard. To respond to that difficulty, there are now a number of password managers that store and auto-fill users' complex passwords via browser extensions. However, many of these services require a paid subscription - something in which some users might not want to invest.

Finally, changing passwords after a security scare is a time-consuming burden. Usually is not an automatic process, although some password managers are beginning to offer such functionality on a growing but nevertheless select list of sites.

For all of these reasons, users may choose to skimp on their password security. Web services recognize this tendency. Some have opted for more secure forms of SFA, such as biometrics. Others have responded by implementing 2FA or 2SV. A select few have done both.

2SV: An expansion of SFA

Two-step verification is perhaps the easiest way by which web services can respond to the costs of password-based SFA. A common manifestation of this feature (if activated on an account) proceeds as follows: when you enter in your username and password, you are then sent a one-time code via email, SMS, or phone call to your computer or pre-verified device. You must enter in that code within a specified amount of time in order to access your account. If you don't, the code expires, and you will need to have another code sent to you.

 

As a user called "tyler1" notes in a discussion forum on StackExchange, this method of signing in may at first appear to be two-factor authentication.

But it isn't.

Even though you yourself do not know the code beforehand, the code is not fundamentally different from the password. In fact, they belong to the same authentication factor: both are pieces of information, that is, "something you know."

With this in mind, two-step (or multi-step) verification simply expands SFA by requiring that the user submit several distinct verification occurrences that all fall under the same one of the three authentication factors discussed above.

And, as we have seen in recent malware attacks, it is becoming possible for malware to intercept a two-step verification tokens as it is transmitted to the user and share them with criminals.

2FA: A whole new ballgame

By now, you might have an idea as to how two-factor authentication differs from 2SV.

Rather than building upon SFA, 2FA requires that a user enter two distinct verification occurrences that each belong to their own separate category of credentials. This may take the form of a user entering a password ("something you know") followed by depressing their thumb on a fingerprint scanner ("something you are").

It may also consist of the stuff of spy thrillers: someone swipes their keycard in a door-locking mechanism ("something you have") and then has their irises verified by an eye scanner ("something you are").

Smart cards and Yubikeys further add to the list of possible 2FA combinations.

Quintessentially, two-factor authentication hinges on the reality that it is more difficult for an attacker to compromise two authentication factors rather than just one, such as the knowledge that is required for someone to enter their password and a generated SMS code. With that in mind, it is reasonable to say that when implemented properly, 2FA is more secure than 2SV in-so-far as it introduces an additional factor of authentication.

Conclusion

There you have it. While two-step verification merely expands SFA by requiring two distinct verification occurrences of one authentication factor, two-factor authentication requires two occurrences, that each falls under a different category of credential.

Now that we know how to understand the difference between 2FA and 2SV, it's important that we see both them in action. Towards that end, below you will find links to a series of articles explaining how to enable two-step verification on different accounts.

Read more:

• Two-factor authentication (2FA) versus two-step verification (2SV)
• How to better protect your Facebook account from hackers
• How to better protect your Twitter account from hackers
• How to protect your Amazon account with two-step verification (2SV)
• How to better protect your Google account with two-step Verification (2SV)
• How to protect your Dropbox account with two-step verification (2SV)
• How to better protect your Tumblr account from hackers with 2SV
• How to protect your LinkedIn account from hackers with two-step verification (2SV)
• How to protect your PayPal account with two-step verification (2SV)
• How to protect your Yahoo account with two-step verification (2SV)
• How to protect your Apple ID account against hackers
• How to better protect your Google account with two-step verification and Google Authenticator
• How to protect your Hootsuite account from hackers

 

Source

 

 

[mona]

 

A great list of websites that support 2FA in various forms : 

twofactorauth.org.

 

 

[mona]

Worth noting :

2FA isn't entirely foolproof either !!!! 

There are sophisticated attacks that determined attackers can use to try to crack into even the accounts which are protected with two-factor authentication. But it does make it so much more difficult for attackers to successfully compromise your online accounts, that the vast majority simply will not bother.

 

Description of that kind of attack, utilizing a new type of social engineering trick you gonna find here. 

 

Social Engineering - when used effectively - will eventually defeat every security control you can throw at it.  So nothing can really replace common sense (as always) as our best (and 100% working) defence !!!  

Therefore be careful and ....

 

 

[jeffeuh]

very interesting post.

Thanks to have make light on our minds

[nsan3]

Really nice article, thank you @mona.