BR +55 11 3069 3925 | USA +1 469 620 7643

The Difference Between Two-factor Authentication and Two-Step Verification

by | Aug 19, 2019 | BLOG

In recent years, questions related to user authentication have become more and more evident, considering that they are the reason or the means for preventing what is one of the biggest fears of any organization: data leaks from customers, suppliers, and employees. In this context, passwords are no longer enough to protect a system: multiple authentication factors have been shown to be the answer to the password problem. Although it has been a concept used for some time, it still raises questions for many users who need credential protection on multiple systems. 

To try to ensure that whoever is accessing the system is indeed the user, it is possible to require that two or more authentication codes be entered in addition to the user’s password. The purpose is to ensure the legitimacy of their access, considering that a password can be obtained improperly, a fingerprint can be copied through a glass or a token can be stolen. Therefore, requiring more than one of such information to be inserted makes it more difficult for an attacker to compromise more than one of these factors at the same time. 

Authentication Factor

Authentication factors are categories used to verify the identity of the access request. These factors are divided into three types: 

  • Knowledge factor: something the user has knowledge of;
  • Possession factor: something that the user possesses;
  • Inheritance factor: something the user is.

These factors lead to the implementation of two types of processes for validating user identity: two-step authentication and double or multiple-factor authentication. 

Two-step and two-factor user authentication are often confused as being the same process but have a different approach and levels of security. 

Two-step Authentication

The two-step authentication process is a simple one: at the time of authentication, when credentials are requested, and the user enters their password, a code is sent via SMS, phone call or also via e-mail to a pre-registered device to verify the access request.  These codes have a short expiration time, which means that if the user does not use them, it will be necessary to generate another code to perform their authentication and gain access. It is worth to mention that, for the process via SMS or phone call, it is necessary to register a telephone number to receive the code, which makes this type of authentication vulnerable to attacks such as SIM-Swap – a scam that transfers the chip from the victim to another chip, which is in the possession of a malicious attacker. 

In addition to e-mail, SMS and phone call, codes for user validation can also be generated through authentication applications such as Google Authenticator. Thus, to perform authentication, the user must enter the code generated through the application in addition to their password. 

In fact, this type of authentication seems to use more than one factor, but many are mistaken when they think this, since the same type of factor, the knowledge factor, was used throughout the process. Both the password for access and the verification code are pieces of information that are based on the user’s knowledge, the password and the code are things they know.

The two-step authentication is defined by steps followed by the same authentication factor, ie to authenticate the user, one must insert, for example, two information that they know or something they possess. 

Two-factor authentication or multiple-factor authentication

This authentication process is considered the safest since it requires the user to enter at least two different types of authentication factors, such as something that they know about and something they have inherited. 

  • Something the user knows: passwords, PIN, and codes;
  • Something the user possesses: smartcards, USB Token, key;
  • Something the user has inherited: fingerprints or physical features, such as the iris. 

Authentication to access a datacenter, for example, may require the user to approach their smartcard in the lock display and then enter their credentials, username, and password, so a two-factor authentication was required to enter the room. 

In its guide on online payments, the European Banking Authority (EBA) advises that at least one of the factors cannot be replicated, except for inheritance, and that it is also not likely to be stolen through the Internet.

In this type of authentication, each piece of information inserted is independent of each other, but the two must be correct for the access to be released. If one of the information entered is incorrect, it should solely be generated again. Because of this, time-based tokens are widely used as they change constantly over a period of time, for example, every five minutes. 

A major concern is when one of these factors, especially the possession factor, is lost or for some reason destroyed. In such cases, the user does not lose the access, because when the process is implemented, a master key or master password is required for the recovery of the account in these situations. The biggest concern is when this master key or password is lost or stolen, which can actually compromise the account’s security and recovery. 

Robust passwords are hard to remember by users. For this reason, entering more than one authentication factor is a good security control, but can make the authentication process a little time consuming if the user is not familiar with the authentication factors or with the process. To make this process simpler, there are tools that manage these factors and automatically populate passwords and complex authentication information. 

In the context of credential management, PAM solutions bring the following benefits to users and organizations:

  • Increased security in user authentication and task execution;
  • Integration with multiple methods and devices for multi-factor authentication;
  • Authentication in environments without having to enter the user’s password;
  • Integration with implemented GPO rules;
  • Requirement of strong passwords for all users;
  • Possibility to perform remote sessions without the user knowing the password;
  • Assessment of data that need more protection and other benefits.

Once this process is deployed, it is possible to facilitate the response in cases of dubious authentication requests. In addition, this type of solution allows a remote session to be interrupted if there is doubt about the truthfulness of the factors. 

There are many mechanisms that can assist in managing these factors and the authentication itself. Malicious agents who get authentication factors are more likely to falsify system checks, so, they are pieces of information that should be protected. 

Using a single authentication factor is no longer feasible to ensure that whoever is accessing the system is actually the user. Therefore, trying to make the authentication process more secure and difficult to be exploited by attackers is a challenge for organizations of all sizes and industries. Between two-step authentication and multi-factor authentication, it is up to each organization to understand which is the most appropriate and secure for its needs. 

Gartner and PAM: What Does One of the Most Important Consulting Companies in the World Say About this Cybersecurity Solution?

All of us have already heard of digital transformation at some point. This phenomenon affects companies of all verticals and sizes and has been gaining prominence in the market.  Digital transformation increasingly requires organizational leaders to adapt their...

senhasegura MySafe – Your personal Vault

With the multiplication of computer systems, passwords have spread out both in our personal and professional lives. And the protection of credential passwords has become a major concern not only for organizations but also for society. And no wonder why those...

Lessons learned from the Uber data breach

Uber employees last month discovered a hacker intrusion into their internal network. This was possible because the attacker announced his feat on the organization's Slack channel, as well as sharing it with the New York Times, which brought the story about the Uber...

What Are the Costs Associated with a PAM Solution?

Investing in cybersecurity is indispensable for companies of all sizes and industries, since threats such as data leaks and hacking attacks generate great financial losses. Thus, one of the most important measures in this regard is to rely on a PAM solution, which...

Why Should You Participate in the Cybersecurity Awareness Month

For some time now, the cybersecurity aspect has not been restricted to the environment of large organizations. Malicious attackers have been targeting their criminal activities on companies and individuals every day, greatly increasing cyber risks…