Messente avatar logo

What is 2-step verification and why should you care?

- 5 MIN READ - 11 Feb 2015

One of the key trends of 2015 for web apps and services will likely be a much wider adoption of 2-step verification.

In itself it’s not a security measure based on any new technologies and it is something that is already used by some service providers handling extremely personal information. Google and Facebook to just name a few.

To put it simply 2-step verification builds an extra layer of security on top of your existing account verification system. In addition to the regular user name and password a user is given a unique one time password or PIN code generated for this specific session only. The password has to then be entered correctly to log in.

This makes it much more difficult for any attacker to impersonate someone else and access his accounts or resources as simply getting a hold of your regular password and user name will not be enough.

How are the one time passwords delivered?

There are a few different ways:

E-mail

This is mostly used during the sign up process to make sure the e-mail address you claimed as your user name actually belongs to you. The reason why this is not widely used as a verification tool later on is that e-mail is generally not considered secure enough for password exchange. Also there is a high risk that in case someone has learned your passwords for any app, he has done it though gaining access to your primary e-mail account in the first place.

PIN code generating device

Used mostly by banks this verification method needs you to have a separate physical PIN or password generator which makes the whole process reasonably secure. This method however has a few major shortcomings – distribution and the cost of the physical devices being the most crucial ones.

Using mobile phone and SMS

The main reason this is the method used by Google as well as a few others is that it solves the security issues presented by e-mail and distribution/cost issues which come with dedicated password generating devices. At the same time it involves another physical device by making use of your phone, completely separating the two steps of the verification process.

Whenever a user wants to set up a mobile 2-step verification for an account, he has to tie his phone number to the account when setting it up and all one time passwords will be delivered to his personal number in the future.

Why should I care?

Phone numbers becoming an increasingly bigger part of our formal identity is an important trend for both web based service providers as well as the users.

General passwords are vulnerable

Leaks on a major scale have become more frequent last year. As data security keeps evolving, unfortunately so do methods of data theft. So leaks are unlikely to disappear. 

On the other hand the number of passwords people have as part of their everyday life increases year by year. As a result we are re-using passwords, creating them to be memorable and therefore vulnerable.

Users pay more and more attention to data security

If we are asked whether we would want our personal data to be 100% secure the answer is almost always yes. In practice people would sacrifice some security for added convenience. The question is to which extent.

Already now we would not trust a bank whose online banking environment only uses a regular password. The thought alone that the only thing standing between a hacker and my money is knowing the name of my goldfish would make me take my business elsewhere.

*****

Coming back to the very beginning of this post it is believed that 2015 will bring about the tipping point in adopting mobile 2-step verification driven by the increased concern for the security of personal data as well as resources.

In some cases is even predicted that 9 out of 10 service providers will embrace it as the new account security standard this year. In any case it is safe to say it will be not only used by financial institutions but all services (B2B or B2C) where a considerable amount of damage could be done by misusing your account.

Lauri Kinkar

Lauri Kinkar - CEO

Lauri makes sure the company keeps moving in the right direction. His spare time is divided between motorcycle trips, floorball and spending time with his kids.

An easy way to add more confidentiality - hiding SMS content

15 Aug 2017

In a previous blog, we discussed Flash SMS and how it’s used to ensure confidentiality with SMS messaging. Well, Messente’s API provides two more features that help hide message content:

  • Content no-store
  • Content hashing
Uku Tomikas

Uku Tomikas

Join us to learn how we're helping people #TurnOn2FA

01 Aug 2017

We’ve developed solid APIs for global SMS messaging and two-factor authentication, which are currently part of processes for hundreds of companies and facilitate thousands of transactions every day. Yet we aren’t stopping there. Effectively communicating with customers and securing customer account access online are two aspects of business technology we focus on. While there’s much more to business technology (much, much more,) these are the two areas which we strive to be the best.  

That’s why we keep developing our tools to address evolving needs in the areas which we specialize. 

Yuriy Mikitchenko

Yuriy Mikitchenko

Tools to avoid breaking the budget with SMS

01 Aug 2017

Getting the most bang out of each buck in a marketing communication strategy requires solids budget estimation. Yet when the budget is broken halfway through the month, the questions arise: How did this happen? How have we sent twice as many SMS messages than we should have at this point? Well, this is where the multipart SMS comes into play.

Uku Tomikas

Uku Tomikas

Start sending messages to

for € N/A

Contact us