As cybercrime becomes more sophisticated, companies are realising that their old security solutions are no longer sufficient to deal with new threats and attacks. In addition to large commercial companies, non-profit organisations and small businesses have also become victims of such attacks. One method of security that companies are increasingly using is two-step verification. In this article, we explain what 2FA (2 Factor Authentication) is and why it is necessary.  

There is no doubt that Internet services such as websites and applications need to be better secured. Users should use security that goes beyond just a password. Two-step verification, also known as two-step authentication, provides this extra layer of protection for many users.

1. What is two-step verification?

The two steps in traditional two-step verification are 1) a password and 2) a code that the user receives on a trusted, assigned device. To successfully authenticate, an authorized user must complete these two steps of two-step verification. After the user submits their login and password, they may be asked to provide additional information (such as a one-time PIN or an electronic code sent to their phone) that identifies them as the real user of the service.

According to the Oxford Dictionary, authentication is “the act of proving or verifying that something is true or correct”. So with 2FA, you confirm your identity in two parts, one after the other, using a technique known as two-step verification. After the first stage is completed, the system proceeds to verify the user’s identity.

2. The types of 2FA

2FA is basically a combination of two of the options below:

  • Something you know (password)
  • Something you have (authentication application, sms code etc.)
  • Something you are (fingerprint, retina, face recognition etc.)

Sending an SMS code is not seen by critics as a real form of 2FA. The code is something that is sent and when you send something, it can be intercepted. It is, literally speaking, not something you already have, but rather something that is sent to you.

Grammatically, there is therefore also a distinction between authentication and verification. Although many use the terms as synonyms, there is a difference. Sending the SMS as a second step is a verification that you are the user. However, it is not possible to authenticate that you are actually who you say you are. For example, if a hacker can intercept the message, e.g. via spyware.

3. Why is two-step verification necessary?

What would it be like to wake up on a beautiful spring morning and not have access to one of your online accounts? After a worrying check, it’s clear that your email account has been hacked, your company website, and your business credit card has been used for bogus transfers as well. How terrible would that be? Many Internet users, businesses, organizations, and even governments experienced the same thing already. And often the awareness of proper security among victims comes only after a successful attack.

Are you already using 2FA? In many cases, two-factor authentication is necessary. It provides extra security in addition to passwords. Cybercriminals have to take considerably more steps to crack the second level of authentication. Password cracking is a relatively easy step. Available commercial products have been claiming since 2011 that they can test up to 2,800,000 passwords per second on a standard desktop computer with a high-end graphics processor. And it is precisely for this reason that having a second step in the verification/authentication process is a necessity.