||It has been suggested that this article be merged into Multi-factor authentication. (Discuss) Proposed since February 2014.|
Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of a multi-factor authentication which might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inherence factor) for both steps. If each step involves a different authentication factor then the two-step verification is additionally two-factor authentication.
To provide an everyday example: an automated teller machine (ATM) typically requires two-factor verification. To prove that users are who they claim to be, the system requires two items: an ATM smartcard (application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user's accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes two-factor verification more secure: there are two factors required in order to authenticate.
Note that if the ATM smartcard is merely a magnetic-stripe card it is copyable then the process is only two-step authentication but not two-factor authentication since the ATM is only verifying that the user knows the data encoded on the magnetic stripe (knowledge factor) and presented it in magnetic-stripe form. A smartcard with a chip performs a challenge/response authentication; the information transmitted from the card to the ATM is not the information required to duplicate the card's abilities.
Google's two-step verification process
Google was one of the first Internet companies to introduce a two-step verification process. To access a Google service using the two-step verification process, a user has to go through the following two stages:
- The first step is to log in using the username and password. This is an application of the knowledge factor.
- The implementation of the second step requires a mobile phone or the Google Authenticator application, which is an application of the possession factor.
- If the user opts to use a mobile phone, he/she has to register his/her phone number with Google. When one attempts to authenticate with username and password, Google will send via SMS a new, unique code to the phone. Receiving the SMS demonstrates that the user has the phone (or, in the case of GSM like networks the appropriate SIM chip).
- If the user opts to use the Google Authenticator (or another supported code generator application), he/she simply opens the application, which generates a new code every 30 seconds. This code is to be entered to complete the log in process. As a backup option in case the registered mobile phone or device running Google Authenticator is lost, stolen, or otherwise unavailable, the user can print a set of static single-use backup codes (also the knowledge factor) and store them in a safe place.
Other sites offering two-step verification service
The following are some other sites which offer two-step verification service:
- Amazon Web Services
- Apple ID
- Yahoo! Mail
- Alex Colon. "What is two-step authentication?". Retrieved 23 October 2013.
- "Two-Step Authentication". Stanford University. Retrieved 23 October 2013.
- James Tarala. "Two-Step Verification". Brown University. Retrieved 23 October 2013.
- "Advanced sign-in security for your Google account". Google. Retrieved 10 February 2011.
- "Google 2-Step Verification". Google. Retrieved 24 October 2013.
- "About 2-step verification". Google. Retrieved 24 October 2013.
- Whitson Gordon. "Here's Everywhere You Should Enable Two-Factor Authentication Right Now". Lifehacker. Retrieved 24 October 2013.
- Belle Beth Cooper. "Introducing 2 Step Login for Buffer: The safest social media publishing on the web". The Official Bufferapp Blog. Retrieved November 26, 2013.
- "Dashlane Adds Two-Factor Authentication, a New Interface, and More". Lifehacker. Retrieved May 5, 2013.
- "Activating two-factor authentication". Gandi's Online Documentation Wiki. Retrieved February 2, 2014.
- Eric Doerr. "Microsoft Account Gets More Secure". The Official Microsoft Blog. Retrieved 24 October 2013.