Two-factor Authentication vs. Two-step Verification

11/07/2014 / 0 Comments

The Basics of Two-factor Authentication and Two-step Verification

Every day, information technology news reports are filled with the latest stories of hackers who have managed to steal confidential credentials and data from companies, banks, websites, and popular Internet services. For hackers, the key to gaining unauthorized access to data is the theft of user credentials, such as passwords, and using them to access accounts and then hack into servers or databases or deploy malware to steal sensitive information.

The one common denominator across most of these reports is the advice from information security experts and commentators about how to avoid these attacks: users and organizations should enable two-factor authentication or two-step verification in order to increase login security and help prevent cyberattacks.

As Matt Cutts, the head of Google’s webspam team has explained, “Two-factor authentication means ‘something you know’ (like a password) and ‘something you have,’ which can be an object like a phone.”

Using Google’s services and the Google Authenticator app as examples, two-step verification or two-factor authentication combines a user login, including a password, with physical access to a smartphone or landline telephone to verify authorized access to an account.

A user can begin to log into the secured service by entering an ID and password, but the user must then receive a one-time code (OTC) or one-time password (OTP) via SMS texting or a voice telephone call using a phone number that is associated with the account. Entering this additional one-time credential constitutes the second step of verification or the second factor of authentication, with the idea that only someone who knows the correct account password and who physically possesses the required object can gain access to the account.

Typically this approach is offered by many companies, including Google, Apple, and Microsoft, to authenticate a user whenever an account is accessed from a new device. For example, if a user suddenly buys a new desktop computer or is connecting from a new mobile device or a different device than any of those used previously, the user can be required to complete the additional authentication step.

But the one-time code or password approach is only one method of adding a second step or second factor to the authentication process, and while it qualifies as two-step verification, it does not necessarily quality as two-factor authentication.


Distinguishing Between Two-step Verification vs. Two-factor Authentication

Google, Apple, and Microsoft all refer to their versions of advanced login security as “two-step verification”. Elsewhere, many data security experts, media reports, and websites refer to it as “two-factor authentication”, and the two terms have begun to be used interchangeably.

However, others in the industry, including cryptography experts and developers of advanced authentication solutions, define the two terms differently and draw important distinctions between them. These distinctions cite fundamental differences in security infrastructure and methodology, which are vitally important in understanding respective levels of data security and the ability of various authentication methods to protect users and organizations from hacking.


Defining an Authentication Factor

To analyze the differences between two-factor authentication and two-step verification, it is important to first understand the definition of an authentication factor.

During a login process, an authentication factor is a requirement that is designed to verify the identity of an authorized user.

In login security, there are three categories of authentication factors which are typically used to verify identity.

  • Something that is known only by the user, such as a password or PIN
  • Something that only the user possesses, such as a smartphone, smartcard, USB token, or other hardware key
  • Something that is physically unique to the user, such as a fingerprint or iris scan

Each category covers a range of potential requirements that can be used to verify identity and authenticate access to websites, applications, networks, systems, and other types of secured services.

They can also be used electronically to approve transactions, sign or approve documents, grant access rights to others, or establish a chain of administrative authority.


Understanding Two-step Verification and How It Can Fail

With the approach used by Google, Apple, and Microsoft, two-step verification combines the first two of these factors—something known only by the user, which is the account password, and something that only the user possesses, such as the smartphone or land line telephone.

Technically, this is an attempt to combine two authentication factors for greater security, but problems emerge when considering that the one-time codes or passwords that these services use are more like additional “knowledge” credentials such as passwords or PINs, and they do not truly require physical possession of a specified object or device to gain access to them.

For example, as outlined in our previous blog post, entitled, “How to Choose the Safest and Best Two-factor Authentication Method”, SMS transmissions are highly vulnerable to “man-in-the-middle” attacks in which hackers use spoof websites and phishing schemes to intercept or steal one-time codes or passwords and bypass two-step verification.

Attackers can also use SIM card cloning to outsmart this authentication method, and even a voice phone call with a verification code can be intercepted if a mobile network is compromised or if criminals use phone number porting or other tactics to receive calls.

This is why some data security experts point to two-step verification as a single-factor approach in which there are two steps but they both involve knowledge factors that can easily be compromised by attackers. Thus, two-step verification does not necessarily guarantee authentication or data security, and it is not a form of true two-factor authentication.


Analyzing True Two-factor Authentication for Superior Security

To ensure the strongest possible authentication security, the key is to require a knowledge factor and a true physical factor of possession or a physical factor that is unique to the user, such as a fingerprint scan. To achieve even better security, all three types of factors can be combine to create a powerful multi-factor authentication method.

By ensuring that at least two distinct authentication factors are required, a secure solution can be truly classified as two-factor authentication and can avoid the vulnerabilities and security pitfalls of two-step verification.

Perhaps the best example of this approach is public-key infrastructure (PKI), which is used in smartcard and ATM card security but has been extended to authentication security by SecSign Technologies, which developed the SecSign ID solution for mobile two-factor and multi-factor authentication.

Just as an ATM card requires physical possession of the card and knowledge of a PIN to gain access to an ATM and a user’s bank account, PKI authentication uses a similar approach to ensure that hackers cannot gain access to accounts for websites, applications, or other services.

With PKI authentication, only a simple, non-confidential user ID entered into the login screen and is required to begin the login process. Passwords and credentials are completely eliminated from the login process, thus removing the primary means that hackers use to gain unauthorized access to accounts and compromise data security. And this also removes the incentive for hackers to target secured services that require, transmit, and store credentials.

Instead, PKI authentication uses 2048-bit encrypted, asymmetric key pairs, which are produced by algorithms that are impossible to compromise using any known or anticipated level of computing technology.

On a Trust Center authentication server, a 2048-bit encrypted public key is stored securely, and it is invoked when the user ID is entered during login. This triggers an authentication request, which is sent to the user’s mobile device through mobile push technology and a simple mobile app.

A 2048-bit encrypted private key is stored on the mobile device and secured with a SafeKey mechanism that prevents brute force attacks, even if the device is lost or stolen. To complete authentication, the authentication request must be digitally signed by the app using the private key.

Verification of user identity and access to the private key is confirmed by the user entering a PIN or passcode, which the user defines and is used only within the mobile app. No credential is ever entered through the login process or ever transmitted or stored on a server. So there is physically no credential for hackers to steal through any form of hacking, phishing, or malware.

This PIN or passcode knowledge requirement is combined with the physical presence of the private key on the mobile device to provide true two-factor authentication.

As an alternative, the user can use a fingerprint scan instead of a PIN or passcode, thus combining a knowledge factor with a physical factor that is unique to the user. Or the user can combine the PIN or passcode with the fingerprint scan and physical possession of the private key to ensure that all three types of authentication factors are required.

The login process is fast and simple, requiring only a few seconds to complete, including a final verification step that requires the user to tap and confirm an access symbol that is shown on the mobile device and that matches one that is shown on the login screen.

The ease of use and simplicity of this approach means that it can be enabled and used readily to protect all login sessions without inconveniencing users.


Deploying Two-factor Authentication with Public Key Infrastructure

As a true two-factor authentication solution using mobile push software and public key infrastructure, SecSign ID can be deployed to protect websites, applications, servers, and systems. It can be deployed in the cloud at absolutely no cost to developers, regardless of the number of users, using the free SecSign ID mobile app and free plugins, including support for Java, Perl, PHP,, WordPress, Joomla, and more.

SecSign ID can also be deployed on-premise, on your own architecture and operating behind your own firewall, with centralized administration and reporting. The cryptography experts and security engineers at SecSign Technologies can provide premium consultation, support, and integration service for developers, companies, and other organizations that want to implement the strongest possible authentication security to protect their data.

To learn more about two-factor authentication using public key infrastructure and advanced cryptography, visit the SecSign Technologies website for technical details, videos, consultation, and an opportunity to download the SecSign ID mobile app and test the secure login process for yourself.


About SecSign Technologies

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. SecSign’s security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.


Do NOT follow this link or you will be banned from the site!