When it comes to authentication, there’s a lot of confusion between two-step authentication (2Step) and two-factor authentication (2FA). As a result people frequently use them interchangeably and make decisions about using them for security without knowing their separate strengths and weaknesses. To that end we have created a primer explaining both and the differences between them.
Authentication is the process by which a user provides digital evidence they’re who they say they are to gain access to an account. The things used to do this fall into three different categories:
- Something you know (password, PIN),
- Something you have (phone, tokens, card)
- Something inherent to you (fingerprints, faces, retinas).
In order for an unauthorized user to gain access to an account, they must imitate and/or steal all of the authentication methods being used to protect it. While there is no established formal method for determining authentication strength, it seems self-evident that the easier authentication factors are to imitate or steal the weaker it is. This is why systems based solely on something you know are considered weakest.
2Step means using two authentication methods. It is based on the idea that adding authentication methods increases security. However, the number of methods involved isn’t an indicator of security, especially if all the methods are weak to begin with.
Let’s use Gmail’s login as an example. Using their stepped-up security you are prompted to put in a password (something you know), and then once it’s been accepted you must enter a one-time password (OTP) Google generates and send to you. However, these are both passwords, one created by you, and one created by Google. The OTP may seem like “something you have,” since it is received on your phone, but from a security perspective, it is still “something you know.” In this case, the key to authentication is the information stored on the devices that have your password and the OTP. To impersonate you a hacker would only need to steal one method of authentication, even if he would have to do it twice.
To be clear: While this type of authentication may be weaker when compared to other types it is still strong enough to thwart most attacks.
2FA also means using two authentication methods, but they must be two different method types. As a result, a hacker has to perform two different types of theft in order to impersonate you.
Many companies use 2FA, this is in no small part because it is required by regulations like PCI and GDPR. Two-factor authentication is considered to be “strong authentication” because it combines different types of factors. Combining factors of different kinds can significantly increase resistance to attack. The strongest form of 2FA uses the factors that are the most difficult to steal or imitate. That generally means one of them is a biometric, which is inherent to the person owning an account.
Whether 2Step or 2FA is the best solution for you depends on the amount of risk you can tolerate.
Think of it this way: Let’s say you are using the banking app on your mobile phone to send $20 to another person’s account. This is fairly low risk for the bank, and so they only require you to provide username and password. However, the bank’s risk increases along with the amount of money involved. So if you want to transfer $20,000 to another person they will want more confidence that you are really you, and not a criminal using your credentials. Currently this likely involves a 2Step method, with the bank calling and quizzing you on your personal information. However, with the ubiquity of fingerprint scanners on smartphones and computers, in the future, it will be 2FA.