Two-factor authentication vs. Two-step verification – you’ve probably missed this tiny difference

Now that vacation season’s coming to an end, it’s a good moment to review the security of your online accounts, or at the very least - beef up your security knowledge. Let’s start from here: two-factor authentication and two-step verification are two different concepts.

By now, I believe that pretty much everyone’s aware of the fact that no matter how strong your password is – it’s not strong enough if someone gets a hold of your credentials. It’s 2018 and cybercrime’s on the rise.

The sad truth is that we’re yet to come to terms with how demanding good password hygiene can be. We’re notoriously bad at creating long, unique and complex passphrases and committing to remembering them or storing them in an encrypted environment.  

A recent survey by Keeper Security proves that – more than 80% of people aged between 18-30 reuse the same password across different applications. What’s more alarming is that 29% of the respondents also admitted to sharing passwords with two or more people.

That’s why a lot of apps actually encourage their users to enable a second security layer to their accounts, like two-step authentication or two-step verification. And by any means, if the apps you use provide an option for two-factor authentication, just take a minute to enable it. 

Two-factor authentication vs two-step verification

So why am I distinguishing between two-factor authentication and two-step verification? Here’s the thing, throughout the years both terms have been used interchangeably, mostly due to the way they have been marketed. Indeed, both approaches are similar and while they are good ways to improve your security online, a security expert will tell you that there’s a difference that everyone’s missing. 

It all comes down to understanding the definition of an authentication factor. The purpose of an authentication factor is to verify your identity as the owner of your account, when you log in to your account. There are three generally recognized factors for authentication:

  • Something that only you know (your password, security PIN etc)
  • Something that only you possess (smartphone, a SIM card, USB security key)
  • Something that’s physically unique for you (fingerprint, iris)

Hence, combining two authentication factors brings an extra layer of security upon access.

Disadvantages of each approach

Services like Google, Apple and Microsoft combine the first two – something you know and something you physically possess with two-step verification. Technically, however, this approach brings some problems. One-time codes and passwords don’t necessarily require the possession of a device. It’s not that difficult to intercept text messages in transit, and that has been a long-time problem. That’s why some security experts refer to one-time codes and passwords as “additional knowledge” as the element of physical possession can be eliminated.

Authentication, where one-time codes are sent to authenticator apps strengthens the processes.

What a lot of people seem to be missing, however, is the fact that a one-time code is only one approach to adding a second authentication step. Some security analysists point out that a second factor that’s physically unique for the user, like a fingerprint defines true two-factor authentication. Provided that today we use most apps on multiple devices, however, there’s the question if this form of two-factor authentication is as available and easily applicable.

Enabling two-step verification or two-factor authentication

Should I still enable two-step verification, though?

Definitely! As I’ve mentioned, a lot of services use the terms two-step verification and two-step authentication interchangeably. They are good ways to bump up the security for your online accounts, as they require more than just your password.

Am I safe if I use a weak password as long as I enable Two-factor authentication?

The two authentication factors require different breach approaches. Depending on how weak your password + two-factor combination is, it may still be safer than a single strong password (and that still depends on how you define “strong”). If you’ve taken the extra minute to turn on two-factor authentication, I’d still recommend foregoing convenience and keeping a strong password.

Stalina Zoir, Marketing Specialist at pCloud

  • Also check out how to enable two-factor authentication on your iPhone or Android device
Stalina Zoir

Stalina Zoir is a marketing specialist at pCloud. She is hard worker, always finding solutions that help people from all parts of the world.