If you really want to stay protected while browsing the internet, it’s of utmost importance to beef up your security with as many options as possible. For example, it’s highly recommended to use two-factor authentication (2FA) everywhere it is available, but there is also another verification known as two-step verification (2SV). At first glance these two terms may seem to be the same thing, and some ‘experts’ are using the two as interchangeable terms – but there is an important difference between them.
And since they both have their own pros and cons in the way that they are used and their security it’s important to learn the distinction. The main idea is this, however: both methods aim to help users secure their account and add a secondary authentication layer to strengthen security.
In essence, human authentication relies on at least one of the following: either ‘something you know’ such as a password, or ‘something you have’ such as a device. In particular the latter commonly utilizes phones, smartwatches, or computers. With the rise of biometric authentication there is now additionally ‘something you are’, such as Touch ID using your fingerprint – but won’t be discussing this in this article.
When you authenticate yourself on iCloud, for example, you know the details that nobody else does. This is your password, which is used to distinguish you from other individuals. Whenever you log in the system is checking that the person claiming to be you knows this secret information, which is why we enter our username and passwords.
The problem with this method is that – in light of rising cyber attacks and password spoofing – single-key authentication isn’t enough anymore. It might be enough for certain services, but for an extra level of security it is smart to use two-key authentication. This is how the ‘something you know’ is combined with ‘something you have’. Both the two-step verification and two-factor authentication are based on ‘something you have’ as they assume that device registered to you (most commonly a smartphone) is to hand.
Apple introduced the two-step verification process for Apple ID owners in 2013, adding another verification step on top of the password by utilizing a trusted device. To set up two-step verification, Apple users need to register one or more trusted devices, which then receive a four-digit verification code using either SMS or Find My iPhone. When a user signs into Apple ID or iCloud or makes an iTunes, App Store or iBooks purchase from a new device, his or her identity is first verified with the password and the four-digit verification code.
Users also get a 14-character Recovery Key, which they need to keep in a safe place and use to regain control of their account if they lose access to their trusted device or forget their password.
With the launch of iOS 9 in 2015, Apple improved their previous two-step verification by introducing two-factor authentication. By using this method you still need a trusted device and a trusted phone number, and the account can only be accessed from trusted devices such as your iPhone, iPad, or Mac.
When you log into a new device for the first time, you’ll need to provide two pieces of information: the password and the six-digit verification code that is then automatically displayed on the trusted device(s). By entering these you’ll confirm that the new device is trusted until you sign out completely, erase the device or need to change the password for security reasons.
By enabling two-factor authentication, Apple and other companies have added another roadblock to stop attackers since they now have to steal two pieces of information, not only the password. Various security reports have shown that SMS-based verification codes aren’t as secure as the one-time passwords sent by Apple and generated by apps such as Google’s Authentication app or the popular Authy, as SMS messages can be stolen.
What This Means for You
While 2FA is secure enough to prompt Wall Street Journal writer John Kuczala to divulge his Twitter password to the public and still remain completely protected, the whole point is to keep both your password and the one-time password to yourself when logging in, be it into Apple services or other services that use 2FA, such as Dropbox or Evernote. Fortunately, the number of services enabling 2FA and 2SV is rising, which should increase the overall security of every netizen.
Best Password Managers of 2019