Image

- A vehicle unlocked and parked on the street can easily be picked up in an opportunistic attack. This is how I would view an account with a poor or easily guessable password. This is because, whilst it may have a password, there are automated tools that can test a list of common passwords against it. If it is found in a breach: it may already know the password/username combination to use.
- A vehicle that’s locked and parked on a quiet street, whilst still vulnerable, is more secure than the first. This is how I would view a secure password.
- A vehicle that’s locked and stored in a secure garage requires knowledge and skill to steal. It also requires motivation for that specific vehicle. This is how I would view an account using a secure password and a second form of authentication.
What Is the Difference Between Two-Factor Authentication and Two-Step Verification?
To understand this, you need to understand what multi-factor is: something you have, something you know, and something you are. Those are the three separate pieces that together prove who you are. The more pieces that are used as validation, the lower the likelihood that someone else will be able to authenticate themselves as you. There are further options available, but these three are the most commonly used. A form of multi-factor authentication is two-factor authentication, which requires only two of the following: something you know, something you have, and something you are. Some examples of “something you know”:- Password/passphrase
- Answer to a security question
- PIN
- SMS: Have you received SMS text messages containing a verification code? This is a form of multi-factor authentication! Whilst there are limitations on the security of this option, remember the car examples. It is better than no second piece.
- App: There are many options out there, both paid (Duo, for example) and free (Authy/Google Authenticator). These apps give you two options after password entry: first, you can use them to generate a verification code for a synced account; and second, you can request a push notification, at which point you can ‘approve’ or ‘decline’ sign-in.
- Physical token: if you have ever heard of Yubikey, it’s one of those most well-known forms of physical- or hardware token-based authentication. Using this option, you enter a password and then plug in the device (or touch it to something) to authenticate yourself. Usually, your account has an additional option approved, such as an app or SMS, in case you lose the token.
- Device: Apple and Google both provide options to ‘approve’ or ‘decline’ sign-in from devices already enrolled to do so after you have entered the password.
- Fingerprint ID
- Face ID
- Voice ID
Choosing the Right Option for Me
Oftentimes, I’m asked how to choose between the above options. I want to preface my advice with the fact that even if not perfect, any additional form of authentication, be it SMS-based, multi-factor, or two-step verification is a positive move forward.- Are you confident you can keep track of your devices and keep it up to date? You can choose which you prefer. That being said, app- and token-based are considered the industry standard.
- Do you have a limited budget and expect to be changing between devices often? You may consider token or SMS-based, as from what I have seen, multi-device, app-based authentication may require a subscription.
- Do you expect to be changing devices soon? Consider token- or SMS-based MFA. SMS isn't as secure, there are known issues with it, but as a minimal adding layer does help, at least to give time for you to change the password if found to be in a breach.
- Do you struggle with keeping track of your devices? Both token- or app-based may not be the best solution for you (unless syncing is available in that app). Consider SMS-based, again, with the awareness of the limitations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.