The Difference Between Two-factor Authentication and Two-Step Verification

In recent years, questions related to user authentication have become more and more evident, considering that they are the reason or the means for preventing what is one of the biggest fears of any organization: data leaks from customers, suppliers, and employees. In this context, passwords are no longer enough to protect a system: multiple authentication factors have been shown to be the answer to the password problem. Although it has been a concept used for some time, it still raises questions for many users who need credential protection on multiple systems. 

To try to ensure that whoever is accessing the system is indeed the user, it is possible to require that two or more authentication codes be entered in addition to the user’s password. The purpose is to ensure the legitimacy of their access, considering that a password can be obtained improperly, a fingerprint can be copied through a glass or a token can be stolen. Therefore, requiring more than one of such information to be inserted makes it more difficult for an attacker to compromise more than one of these factors at the same time. 

Authentication Factor

Authentication factors are categories used to verify the identity of the access request. These factors are divided into three types: 

• Knowledge factor: something the user has knowledge of;
• Possession factor: something that the user possesses;
• Inheritance factor: something the user is.

These factors lead to the implementation of two types of processes for validating user identity: two-step authentication and double or multiple-factor authentication. 

Two-step and two-factor user authentication are often confused as being the same process but have a different approach and levels of security. 

Two-step Authentication

The two-step authentication process is a simple one: at the time of authentication, when credentials are requested, and the user enters their password, a code is sent via SMS, phone call or also via e-mail to a pre-registered device to verify the access request.  These codes have a short expiration time, which means that if the user does not use them, it will be necessary to generate another code to perform their authentication and gain access. It is worth to mention that, for the process via SMS or phone call, it is necessary to register a telephone number to receive the code, which makes this type of authentication vulnerable to attacks such as SIM-Swap – a scam that transfers the chip from the victim to another chip, which is in the possession of a malicious attacker. 

In addition to e-mail, SMS and phone call, codes for user validation can also be generated through authentication applications such as Google Authenticator. Thus, to perform authentication, the user must enter the code generated through the application in addition to their password. 

In fact, this type of authentication seems to use more than one factor, but many are mistaken when they think this, since the same type of factor, the knowledge factor, was used throughout the process. Both the password for access and the verification code are pieces of information that are based on the user’s knowledge, the password and the code are things they know.

The two-step authentication is defined by steps followed by the same authentication factor, ie to authenticate the user, one must insert, for example, two information that they know or something they possess. 

Two-factor authentication or multiple-factor authentication

This authentication process is considered the safest since it requires the user to enter at least two different types of authentication factors, such as something that they know about and something they have inherited. 

• Something the user knows: passwords, PIN, and codes;
• Something the user possesses: smartcards, USB Token, key;
• Something the user has inherited: fingerprints or physical features, such as the iris. 

Authentication to access a datacenter, for example, may require the user to approach their smartcard in the lock display and then enter their credentials, username, and password, so a two-factor authentication was required to enter the room. 

In its guide on online payments, the European Banking Authority (EBA) advises that at least one of the factors cannot be replicated, except for inheritance, and that it is also not likely to be stolen through the Internet.

In this type of authentication, each piece of information inserted is independent of each other, but the two must be correct for the access to be released. If one of the information entered is incorrect, it should solely be generated again. Because of this, time-based tokens are widely used as they change constantly over a period of time, for example, every five minutes. 

A major concern is when one of these factors, especially the possession factor, is lost or for some reason destroyed. In such cases, the user does not lose the access, because when the process is implemented, a master key or master password is required for the recovery of the account in these situations. The biggest concern is when this master key or password is lost or stolen, which can actually compromise the account’s security and recovery. 

Robust passwords are hard to remember by users. For this reason, entering more than one authentication factor is a good security control, but can make the authentication process a little time consuming if the user is not familiar with the authentication factors or with the process. To make this process simpler, there are tools that manage these factors and automatically populate passwords and complex authentication information. 

In the context of credential management, PAM solutions bring the following benefits to users and organizations:

• Increased security in user authentication and task execution;
• Integration with multiple methods and devices for multi-factor authentication;
• Authentication in environments without having to enter the user’s password;
• Integration with implemented GPO rules;
• Requirement of strong passwords for all users;
• Possibility to perform remote sessions without the user knowing the password;
• Assessment of data that need more protection and other benefits.

Once this process is deployed, it is possible to facilitate the response in cases of dubious authentication requests. In addition, this type of solution allows a remote session to be interrupted if there is doubt about the truthfulness of the factors. 

There are many mechanisms that can assist in managing these factors and the authentication itself. Malicious agents who get authentication factors are more likely to falsify system checks, so, they are pieces of information that should be protected. 

Using a single authentication factor is no longer feasible to ensure that whoever is accessing the system is actually the user. Therefore, trying to make the authentication process more secure and difficult to be exploited by attackers is a challenge for organizations of all sizes and industries. Between two-step authentication and multi-factor authentication, it is up to each organization to understand which is the most appropriate and secure for its needs.