Messente avatar logo

What is 2-step verification and why should you care?

- 5 MIN READ - 11 Feb 2015

One of the key trends of 2015 for web apps and services will likely be a much wider adoption of 2-step verification.

In itself it’s not a security measure based on any new technologies and it is something that is already used by some service providers handling extremely personal information. Google and Facebook to just name a few.

To put it simply 2-step verification builds an extra layer of security on top of your existing account verification system. In addition to the regular user name and password a user is given a unique one time password or PIN code generated for this specific session only. The password has to then be entered correctly to log in.

This makes it much more difficult for any attacker to impersonate someone else and access his accounts or resources as simply getting a hold of your regular password and user name will not be enough.

How are the one time passwords delivered?

There are a few different ways:

E-mail

This is mostly used during the sign up process to make sure the e-mail address you claimed as your user name actually belongs to you. The reason why this is not widely used as a verification tool later on is that e-mail is generally not considered secure enough for password exchange. Also there is a high risk that in case someone has learned your passwords for any app, he has done it though gaining access to your primary e-mail account in the first place.

PIN code generating device

Used mostly by banks this verification method needs you to have a separate physical PIN or password generator which makes the whole process reasonably secure. This method however has a few major shortcomings – distribution and the cost of the physical devices being the most crucial ones.

Using mobile phone and SMS

The main reason this is the method used by Google as well as a few others is that it solves the security issues presented by e-mail and distribution/cost issues which come with dedicated password generating devices. At the same time it involves another physical device by making use of your phone, completely separating the two steps of the verification process.

Whenever a user wants to set up a mobile 2-step verification for an account, he has to tie his phone number to the account when setting it up and all one time passwords will be delivered to his personal number in the future.

Why should I care?

Phone numbers becoming an increasingly bigger part of our formal identity is an important trend for both web based service providers as well as the users.

General passwords are vulnerable

Leaks on a major scale have become more frequent last year. As data security keeps evolving, unfortunately so do methods of data theft. So leaks are unlikely to disappear. 

On the other hand the number of passwords people have as part of their everyday life increases year by year. As a result we are re-using passwords, creating them to be memorable and therefore vulnerable.

Users pay more and more attention to data security

If we are asked whether we would want our personal data to be 100% secure the answer is almost always yes. In practice people would sacrifice some security for added convenience. The question is to which extent.

Already now we would not trust a bank whose online banking environment only uses a regular password. The thought alone that the only thing standing between a hacker and my money is knowing the name of my goldfish would make me take my business elsewhere.

*****

Coming back to the very beginning of this post it is believed that 2015 will bring about the tipping point in adopting mobile 2-step verification driven by the increased concern for the security of personal data as well as resources.

In some cases is even predicted that 9 out of 10 service providers will embrace it as the new account security standard this year. In any case it is safe to say it will be not only used by financial institutions but all services (B2B or B2C) where a considerable amount of damage could be done by misusing your account.

Lauri Kinkar

Lauri Kinkar - CEO

Lauri makes sure the company keeps moving in the right direction. His spare time is divided between motorcycle trips, floorball and spending time with his kids.

Your sales lab time is scarce

20 Jun 2017

In the series about sales research, I touched upon allocating about 30% of your research time on finding new ideas and possibilities around sales tactics. But how do you actually do it and what do you look for?

Uku Tomikas

Uku Tomikas

An open letter to financial institutions from Yuriy

09 Jun 2017

To the bank, credit card company, and investment firm I work with: I trust you. I really do.

If I didn’t, I wouldn’t put my hard-earned money in your hands. While I’m not a Certified Financial Analyst, I am financially savvy, so I understand that we have a mutually beneficial relationship. From a high-level, banks use the money I deposit to sell loans and invest in other financial instruments. Credit card companies make money on interest charges, other fees, and transaction fees from merchants. The brokerage firm makes money through fees on my account. On the other hand, all I expect is that you are honest about your services, provide returns, and keep my money safe.

Yuriy Mikitchenko

Yuriy Mikitchenko

Centralizing SMS operations and why you should consider it

07 Jun 2017

Centralization /(sɛntrəlʌɪˈzeɪʃ(ə)n/ noun - the action or process of bringing activities together in one place.

In the era of globalization and communication through technology, businesses no longer have borders and it's very common for companies to offer services from Germany to Zimbabwe, in multiple markets, and different continents. However, offering services in multiple countries leads to cooperating with a longer, more complicated list of partners.

Kaur Virunurm

Kaur Virunurm

Start sending messages to

for € N/A

Contact us