Two-factor (2FA) and two-step (2SV) authentication are ways to further protect your account. Even developers often put an equal sign between them. But this is not true.
What is two-factor authentication?
The key word here is factor. In total, there are four of them:
For example, I have a Yandex account that has two-factor authentication enabled in its settings. To access it on a new device, two factors must be observed::
Instead of a smartphone with the app, you can use a hardware token. It connects via a USB, Bluetooth, or NFC port. When you register for another service and enable two-factor authentication, a new key pair is generated inside the token. The public key is transmitted to the server, and the private key is stored on a hardware token.
For two-factor authentication using tokens, the FIDO U2F Protocol is used. On the USB-Dongle Authentication website, you can view a list of services that support it. Among them, for example, messengers WhatsApp, Viber, Slack and Telegram.
The authorization process using a hardware token is as follows:
With fingerprint scanning, iris scanning, and location detection, the situation is similar. For the second factor to work, you need support from the services and devices that the user is trying to log in to.
What is two-step authentication?
With two-step authentication, things are much easier. Let's say you enter your password and receive a confirmation code via SMS. These are two stages, but one factor is knowledge.
For example, two-step authentication is used in Telegram. When you log in on a new device, you will receive a confirmation code in the chat (if you have access to your account on another device) or via SMS. This is the first stage. After enabling two-step authentication in the security settings, you will see one more step - enter the password that you created yourself. Again, two steps, but one factor is knowledge.
Two-factor and two-step authentication are often confused, because in practice the line is very thin
The topic of determining the authentication type is subject to disputes. For example, there is an opinion that confirmation of identity via a code in an SMS is a factor in owning the SIM card to which the message is sent. Therefore, it is worth talking about this authentication technology as a two-factor, albeit extremely weak one, because the SIM card can be reissued without any problems, and the phone number can be replaced.
Most likely, the roots of these disagreements go back to a time when sending a code via SMS was really considered the second verification factor. However, this practice remains in the past. Back in 2016, the American national Institute of standards and technology did not recommend using SMS in 2FA due to the high risk of hacking. As an alternative, code generator applications and hardware tokens are offered.
However, some services continue to call SMS the second factor. For example, GitHub offers two ways to use two-factor authentication: generating a key in the app and sending the code in a message. The opposite is true: Google calls all additional security methods two-step authentication, although some of them include using a hardware token and generating codes in the app.
However, these disagreements arise only in disputes between people interested in information security. Developers just need to remember that confirmation of identity via SMS is a weak protection, and if possible, add support for stronger factors. Simple users do not need to clearly understand the difference between two-step and two-factor authentication.
What is two-factor authentication?
The key word here is factor. In total, there are four of them:
- knowledge of something for example, a username, password, key, passphrase, or any other secret information that is set when creating a profile;
- possession of something for example, a hardware token or a smartphone with an app that generates codes;
- location in a specific location for example, the user's IP address or radio tag is used for identification;
- possession of certain biological features for example, scanning the fingerprint or iris of the eye.
For example, I have a Yandex account that has two-factor authentication enabled in its settings. To access it on a new device, two factors must be observed::
- I know your username.
- I own a smartphone with the Yandex app. A key that generates authorization codes.
Instead of a smartphone with the app, you can use a hardware token. It connects via a USB, Bluetooth, or NFC port. When you register for another service and enable two-factor authentication, a new key pair is generated inside the token. The public key is transmitted to the server, and the private key is stored on a hardware token.
For two-factor authentication using tokens, the FIDO U2F Protocol is used. On the USB-Dongle Authentication website, you can view a list of services that support it. Among them, for example, messengers WhatsApp, Viber, Slack and Telegram.
The authorization process using a hardware token is as follows:
- Connecting a hardware token to the device.
- Enter your username and password on the service.
- Clicking on a physical button on the token or other action to confirm the user's presence at the computer.
- Reconciliation of public and private keys.
- Successful authorization in the case of the compatibility of the keys.
With fingerprint scanning, iris scanning, and location detection, the situation is similar. For the second factor to work, you need support from the services and devices that the user is trying to log in to.
What is two-step authentication?
With two-step authentication, things are much easier. Let's say you enter your password and receive a confirmation code via SMS. These are two stages, but one factor is knowledge.
For example, two-step authentication is used in Telegram. When you log in on a new device, you will receive a confirmation code in the chat (if you have access to your account on another device) or via SMS. This is the first stage. After enabling two-step authentication in the security settings, you will see one more step - enter the password that you created yourself. Again, two steps, but one factor is knowledge.
Two-factor and two-step authentication are often confused, because in practice the line is very thin
The topic of determining the authentication type is subject to disputes. For example, there is an opinion that confirmation of identity via a code in an SMS is a factor in owning the SIM card to which the message is sent. Therefore, it is worth talking about this authentication technology as a two-factor, albeit extremely weak one, because the SIM card can be reissued without any problems, and the phone number can be replaced.
Most likely, the roots of these disagreements go back to a time when sending a code via SMS was really considered the second verification factor. However, this practice remains in the past. Back in 2016, the American national Institute of standards and technology did not recommend using SMS in 2FA due to the high risk of hacking. As an alternative, code generator applications and hardware tokens are offered.
However, some services continue to call SMS the second factor. For example, GitHub offers two ways to use two-factor authentication: generating a key in the app and sending the code in a message. The opposite is true: Google calls all additional security methods two-step authentication, although some of them include using a hardware token and generating codes in the app.
However, these disagreements arise only in disputes between people interested in information security. Developers just need to remember that confirmation of identity via SMS is a weak protection, and if possible, add support for stronger factors. Simple users do not need to clearly understand the difference between two-step and two-factor authentication.
