Messente avatar logo

What is 2-step verification and why should you care?

- 5 MIN READ - 11 Feb 2015

One of the key trends of 2015 for web apps and services will likely be a much wider adoption of 2-step verification.

In itself it’s not a security measure based on any new technologies and it is something that is already used by some service providers handling extremely personal information. Google and Facebook to just name a few.

To put it simply 2-step verification builds an extra layer of security on top of your existing account verification system. In addition to the regular user name and password a user is given a unique one time password or PIN code generated for this specific session only. The password has to then be entered correctly to log in.

This makes it much more difficult for any attacker to impersonate someone else and access his accounts or resources as simply getting a hold of your regular password and user name will not be enough.

How are the one time passwords delivered?

There are a few different ways:

E-mail

This is mostly used during the sign up process to make sure the e-mail address you claimed as your user name actually belongs to you. The reason why this is not widely used as a verification tool later on is that e-mail is generally not considered secure enough for password exchange. Also there is a high risk that in case someone has learned your passwords for any app, he has done it though gaining access to your primary e-mail account in the first place.

PIN code generating device

Used mostly by banks this verification method needs you to have a separate physical PIN or password generator which makes the whole process reasonably secure. This method however has a few major shortcomings – distribution and the cost of the physical devices being the most crucial ones.

Using mobile phone and SMS

The main reason this is the method used by Google as well as a few others is that it solves the security issues presented by e-mail and distribution/cost issues which come with dedicated password generating devices. At the same time it involves another physical device by making use of your phone, completely separating the two steps of the verification process.

Whenever a user wants to set up a mobile 2-step verification for an account, he has to tie his phone number to the account when setting it up and all one time passwords will be delivered to his personal number in the future.

Why should I care?

Phone numbers becoming an increasingly bigger part of our formal identity is an important trend for both web based service providers as well as the users.

General passwords are vulnerable

Leaks on a major scale have become more frequent last year. As data security keeps evolving, unfortunately so do methods of data theft. So leaks are unlikely to disappear. 

On the other hand the number of passwords people have as part of their everyday life increases year by year. As a result we are re-using passwords, creating them to be memorable and therefore vulnerable.

Users pay more and more attention to data security

If we are asked whether we would want our personal data to be 100% secure the answer is almost always yes. In practice people would sacrifice some security for added convenience. The question is to which extent.

Already now we would not trust a bank whose online banking environment only uses a regular password. The thought alone that the only thing standing between a hacker and my money is knowing the name of my goldfish would make me take my business elsewhere.

*****

Coming back to the very beginning of this post it is believed that 2015 will bring about the tipping point in adopting mobile 2-step verification driven by the increased concern for the security of personal data as well as resources.

In some cases is even predicted that 9 out of 10 service providers will embrace it as the new account security standard this year. In any case it is safe to say it will be not only used by financial institutions but all services (B2B or B2C) where a considerable amount of damage could be done by misusing your account.

Lauri Kinkar

Lauri Kinkar - CEO

Lauri makes sure the company keeps moving in the right direction. His spare time is divided between motorcycle trips, floorball and spending time with his kids.

Startup Conferences: What’s the point? (Slush 2017)

20 Oct 2017

With Slush coming up in about a month, it’s a good time ponder the purpose of large startup conferences. Many entrepreneurs head to conferences, like Slush, around the world and throughout the year looking for investments from venture capitalists and angel investors, yet there’s a lot more to gain from startup conferences. Think about it: there will be over 17,000 motivated and creative people in one place at one time. Get creative and gain as much as you can out of the experience.

Yuriy Mikitchenko

Yuriy Mikitchenko

The economics behind undelivered, failed SMS messages    

17 Oct 2017

The cost and full impact of undelivered or failed messages isn’t immediately clear. The financial impact is not simply the combination of the failed SMS and the cost to resend the message, which isn’t very much at times. There are other indirect costs that result from undelivered SMS messages that matter from a financial perspective. Let’s take a deeper look into the ripple effect of undelivered messages, which make the reasons behind our focus on SMS delivery quality even more clear.

Here are a few examples.

Uku Tomikas

Uku Tomikas

Fraud and Security: 2FA Considerations for PSD2

10 Oct 2017

The second Payment Services Directive (PSD2) is less than three months away from enforcement. While the regulation’s text is lengthy, a key component of the law is its extended reach in comparison to the first directive. PSD2 applies to all payment service providers and affiliates, including account information service providers and payment initiation service providers. In addition, the law applies when at least one part of the transaction is in the European Union. This means that payment service providers and their affiliates outside of the EU must comply with the law when the payer is in the EU. The additional geographical reach guarantees the same level of security expectations for all EU residents regardless of the location of the payment service provider.

Raili Liiva

Raili Liiva

Start sending messages to

for € N/A

Contact us