Security isn’t a simple matter of caring or spending time reading manuals or being told what you can or can’t do. Security is understanding how to view the world from a different perspective. It’s a skill that people build over time, and it’s completely appropriate to start out small. If you can do nothing else, consider the access to your accounts, professional, banking, and social media. Consider how hard a malicious actor needs to work to gain access to these. Then layer on restrictions to limit the likelihood.
What do I mean by “layering”? Consider someone looking to steal a vehicle.
- A vehicle unlocked and parked on the street can easily be picked up in an opportunistic attack. This is how I would view an account with a poor or easily guessable password.
- A vehicle that’s locked and parked on a busy street, whilst still vulnerable, is more secure than the first. This is how I would view a secure password.
- A vehicle that’s locked and stored in a secure garage requires knowledge and skill to steal. This is how I would view an account using a secure password and second form of authentication.
What Is the Difference Between Two-Factor Authentication and Two-Step Verification?
To understand this, you need to understand what multi-factor is: something you have, something you know, and something you are. That is, separate pieces that together prove who you are. The more pieces that are used as validation, the lower the likelihood that someone else will be able to authenticate themselves as you. There are further options available, but these three are the most commonly used.
A form of multi-factor authentication, two-factor authentication uses two of the following: something you know, something you have and something you are.
Some examples of “something you know”:
- Answer to a security question
Some examples of “something you have”:
- SMS: Have you received SMS text messages containing a verification code? This is a form of multi-factor authentication! Whilst there are limitations on the security of this option, remember the car examples. It’s better than no second piece.
- App: There are many options out there, both paid (DuoSec for example) and free (Authy). These apps give you two options after password entry: first, you can use them to generate a verification code for a synced account; and second, you can request a push notification, at which point you can ‘approve’ or ‘decline’ sign-in.
- Physical token: if you have ever heard of Yubikey, it’s one of those most well-known forms of physical- or hardware token-based authentication. Using this option, you enter a password and then plug in the device (or touch it to something) to authenticate yourself. Usually, your account has an additional option approved, such as app or SMS, in case you lose the token.
- Device: Apple and Google both provide options to ‘approve’ or ‘decline’ sign-in from devices already enrolled to do so after you have entered the password.
A few examples of “something you are”:
- Fingerprint ID
- Face ID
- Voice ID
All of these different factors are authenticated in separate stages. Consider it more like entering door one, then moving forward and entering door two. Another way of looking at it is like entering two separate passwords. One needs to be validated as correct prior to the second password being requested.
Two-step verification is similar to two-step authentication. Instead of using two different means of authentication, however, it usually uses separate authentication challenges that all fall within just one of the three categories identified above.
Choosing the Right Option for Me
Oftentimes, I’m asked how to choose between the above something you have options. I want to preface my advice with the fact that even if not perfect, any additional form of authentication, be it SMS-based, multi-factor or two-step verification, is a positive move forward.
- Are you confident you can keep track of your devices and keep it up to date? You can choose which you prefer. That being said, app- and token-based are considered the industry standard.
- Do you have a limited budget and expect to be changing between devices often? You may consider token or SMS-based, as from what I have seen, multi-device, app-based authentication requires a subscription.
- For situations where you are confident in your ability to keep devices, I would suggest token- and app-based authentication.
- Do you expect to be changing devices soon? Consider token- or SMS-based MFA.
- Do you struggle with keeping track of your devices? Both token- or app-based may not be the best solution then. Consider SMS-based.
The above are just a few examples for personal and/or family use. There are additional considerations for individuals who want to choose what option is right for them. If you are an organisation, it is your responsibility to provide industry standard authentication to employees to help them protect their accounts, your infrastructure, and ultimately be a part of both the security and privacy program. If you’re an application provider, it is your responsibility to provide a variety of options for consumers.
About the Author: Zoë Rose is a highly regarded hands-on cybersecurity specialist, who helps her clients better identify and manage their vulnerabilities and embed effective cyber resilience across their organisation. Zoë is a Cisco Champion and certified Splunk Architect, who frequently speaks at international conferences. Recognised in the 50 most influential women in cybersecurity UK for the past two years, and the PrivSec 200, Zoë is quoted in the media, has presented on National News, has been featured in Vogue Magazine, and was the spokesperson for Nationwide’s Over Sharing campaign that had a reach of 306 million citizens.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.