Are you scared of using Two Step Verification or Two Factor Authentication? If your answer is yes, then this article is for you. We will talk about both in the simplest way possible keeping all the technical complexities aside. If you are a tech-savvy person and want to know everything in detail, then we will give you all the references.
You might have heard about Two Step Verification or Two Factor Authentication already. Almost all the companies have implemented this by now. Few of the companies, like Apple, have made it mandatory. Apple forces you to opt for it, which is a good thing.
Most of the companies have still kept it optional, as people are still scared or find it very inconvenient to use it. if you are scared to use it or find it inconvenience:
In today’s digital world “Security and Privacy” come with a price. We pay the price in the form of inconvenience.
Well, the point is that if Two Step Verification or Two Factor Authentication is available, then you MUST use it. In this article, we will talk about all the inconvenience part to make all your fears go away.
If any of your favorite website or application doesn’t offer this feature, then you shouldn’t trust them. STOP using these websites, apps, or services. At least TRY not to use them.
Let us understand Two Step Verification or Two Factor Authentication, but first the technical part. It’s ok if you don’t understand it in full.
Multi Factor Authentication
As explained in the Wikipedia article, Multi-factor authentication (MFA) is a method of confirming your identity before allowing you access to any Website or application. This is to make sure that it’s you only who is accessing the website or application and not some bad person trying to impersonate your identity. This is to prevent hacking of your online accounts e.g. internet banking account or any social media account etc.
In a multi-factor authentication process, a user is granted access only after successfully presenting two or more pieces of evidence (called factors). These factors are:
- Knowledge: something you and only you know i.e. your password.
- Possession: something you and only you have i.e. smartcards, RSA Token etc., and
- Inherence: something you and only you are i.e. Fingerprint or Face ID, Any form of Biometric or Behavioral Characteristics (used in highly secure organizations). You must have seen it being used in movies.
Now, let us understand Two Step Verification vs Two Factor Authentication.
Two Step Verification (2SV)
Two-step verification is a method of confirming your identity by utilizing something you know (i.e. your password). In this case, Possession (something you have) and Inherence (something you are) are not applied. Instead, SMS or any other form of 4, 6, or 8-digit codes are used as a 2nd step. SMS are not considered safe, therefore mobile-based authenticator apps like “Google Authenticator” are used to generate random codes in place of SMS.
Not all the websites or mobile apps offer the feature of using authenticator apps. Most of the websites still rely on SMS-based verification only. Wherever possible, you should avoid using SMS based verification. You should use it only in case of emergency i.e. when you are not able to use authenticator apps.
This might be simple to understand, if you are already using Two Step Verification for any of the website or mobile app. Even if you don’t understand, don’t worry. We will get to the easy part.
Two Factor Authentication (2FA)
Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. It is a method of confirming your identity by utilizing a combination of two different factors:
First factor is definitely Knowledge, something you know i.e. your password.
Second factor could be either Possession (something you have) OR Inherence (something you are)
A good example of two-factor authentication is withdrawing money from an ATM. Only the correct combination of a bank card (something that you have) and a PIN (personal identification number, something you know) allows the transaction to be carried out.
You can find more technical explanation here.
Two Step Verification or Two Factor Authentication
Which one is better? How they are different from each other? Which one you should use?
Well, enough of technical complexities. To keep this post simple to understand, we will answer them without any technical explanation.
Which one is better? Security experts consider Two Factor Authentication better, but for a common person like you and me both solutions provide good enough security over Single Factor Authentication i.e. your password only.
How they are different from each other? If you couldn’t make out from the explanations given in earlier section, then don’t even try to go there. Actually, there is no need to.
Which one you should use: Two Step Verification or Two Factor Authentication
Well, the choice is not in your hand. Some companies offer Two Step Verification and some Two Factor Authentication. No companies offer both the options with very few exceptions. So your life is dependent on what these companies are offering and you are bound to use that option only. So, based on the available offering either you will use Two Step Verification or you will use Two Factor Authentication.
To keep it simple, use what is available. Don’t bother much as both the methods are safe and secure at present.
If you are curious, Apple provides Two Factor Authentication and Google provides Two Step Verification. These are reputable companies and they use both terms cautiously. But, this is not true for all the other companies. Most of the companies use Two Step Verification and Two Factor Authentication interchangeably.
Below image from Paul Moore provides slightly technical but easiest way to understand the difference.
Account or password Recovery: What if you lost 2FA or 2SV Device
This is the biggest deal of everyone’s worry. What if, I don’t have access to my device, which is your mobile phone either for receiving SMS or for using the authenticator app.
Well, worry not. You don’t even need to read between the lines. Companies don’t want you to lose access to your accounts by any means. There is always a cost associated with customer acquisition and companies can’t afford to lose you because of your ignorance or lack of awareness.
They should be able to help you as a last resort. It’s just that you may need to go thru the hassle of proving them that you are you only and not some bad person trying to have access to your account. To prove your identity, you may need to show you passport or any government issued photo id and they should be able to give you the access back to your account.
Once Company’s support team is able to confirm your identity, then will disable your Two Step Verification or Two Factor Authentication, so that you can log back in and re-configure it.
If companies know that if you lose access to your Two Step Verification or Two Factor Authentication device, they will give you multiple warnings before activating it for you. They will mention this again & again that if you lose access to Two Step Verification or Two Factor Authentication device, then they will not be able to help you with the recovery and you are fully responsible for when you lose access to your account. At this point, you can decide if you ready to take the chance in the name of security or you are better off with the convenience part and decide not to disable it.
One thought could be that once you activate Two Step Verification or Two Factor Authentication, companies can’t help you with the recovery, you are good hands. Why? Because, that proves that they can’t access your account or data. It’s only you, who has full control. Second thought could be that you feel uncomfortable for situation like “What If”.
As of today, (almost) all the companies can help you with account recovery. So, don’t worry so much. If you still have any doubt on any of the websites, mobile apps or services, please feel free to contact us and we will be more than happy to clarify and confirm.
It is easier said than done. You need to be a bit cautious, because disabling or resetting Two Step Verification or Two Factor Authentication is based on how it is implemented. It is expected that companies must have thought through of these situations. They should have built in some mechanism for you to get back into your account in such situations. But, not all the companies are same, right? So far, all big, known and famous companies have implemented it with caution and made necessary arrangements.
However, if you have fake accounts (because of whatever reasons) for any of the websites or mobile applications, then you might not be able to get access back because you will not be able to prove your identity for the same.
Some websites/companies completely bypass Two Step Verification or Two Factor Authentication for the account recovery purpose. Any sophisticated hacker gain access to all of your accounts if they have access to your email account used for account recovery purpose.
What is a Trusted Device
In case if you have lost your Two Step Verification or Two Factor Authentication device, to save you from all the troubles, companies have come up with the concept of trusted device e.g. your phone or your personal computer (laptop/desktop).
It works based on the concept that you will always have access to at least one of the, either your phone or laptop/desktop. If these devices (at least 2) are in your possession always, you can safely mark them as your Trusted Device. If you lose one of them, you will have access to another.
The concept of Trusted Device say that website or application will not ask for Two Step Verification or Two Factor Authentication on your trusted device. The whole concept of Two Step Verification or Two Factor Authentication is to protect your account from the hackers and not from yourself, right?
Well, there is a slight problem there, because concept of trusted device will not work with all the websites or mobile applications. Some mobile apps or websites will always ask you for Two Step Verification or Two Factor Authentication every time you login. Sometimes you may lose access to both of your trusted devices at the same time. This has happened with me once because of my stupidity. What I have learnt from that mistake is that Trusted Device solution itself is not reliable. So, don’t depend on it fully.
Pros and Cons
Let us look at the benefits or disadvantages of Two Step Verification or Two Factor Authentication.
- No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time.
- As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information.
- Users must carry a mobile phone, charged, and kept in range of a cellular network, whenever authentication might be necessary. If the phone is unable to display messages, such as if it becomes damaged or shuts down for an update or due to temperature extremes (e.g. winter exposure), access is often impossible without backup plans.
- Text messages may not be delivered instantly, adding extra delays to the authentication process.
- The user must share their personal mobile number with the provider, reducing personal privacy and potentially allowing spam.
Not So Secure
- Text messages to mobile phones using SMS are insecure and can be intercepted. Thus, third parties can steal and use the token.
- Account recovery typically bypasses mobile-phone two-factor authentication.
- Modern smartphones are used both for browsing email and for receiving SMS. Email is usually always logged in. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. So smart phones combine the two factors into one factor.
- Mobile phones can be stolen, potentially allowing the thief to gain access into the user’s accounts.
- SIM cloning gives hackers access to mobile phone connections. Social-engineering attacks against mobile-operator companies have resulted in the handing over of duplicate SIM cards to criminals.
For a common person and for an average population of this world like me, if 2SV or 2FA feature is available then you MUST use it. It’s not 100% secure and can’t guarantee that your account will never be hacked. But, it’s definitely better than just using the password as a single factor authentication. Using just your password means that anyone can hack your account. Someone doesn’t need to be a hacker for that.
As a common person, you don’t need to be concerned with Two Step Verification or Two Factor Authentication. You don’t even need to be bothered if any service is providing you Two Step Verification or Two Factor Authentication. Whatever it is, just use it.
As different websites and mobile apps carry out Two Step Verification or Two Factor Authentication differently, we will take each one of them separately and will post full details about how you can enable or disable it for each popular service. We will also recommend word of caution and precautionary measures to avoid losing access to your accounts.
Even though we are ready to pay the price, there is no perfectly secured and fully private world possible online.