Two-Step Verification vs. Multi-Factor Authentication

Google recently announced that they have seen a 50% decrease in account compromises since auto-enrolling users in 2-Step Verification (2SV) in late 2021.

This is great news from a cybersecurity stand-point. However, it’s worth noting that two-step verification is less secure than proper multi-factor authentication (MFA).

To understand the difference between 2SV and MFA, consider the following authentication factors:

  1. Something you know (usernames, passwords)
  2. Something you have (phone, security key)
  3. Something you are (retina, iris, fingerprint)
  4. Somewhere you are (geolocation, IP address)
  5. Something you do (typing cadence, handwriting sample)

Using two or more distinct factors in combination is considered multi-factor authentication. The most common combination of MFA is knowledge-based and possession-based (e.g., a user logs in with credentials they know and use an authenticator mobile app to enter a verification code).

Two-step verification, on the other hand, uses two stages of verification from the same factor.

For example, under 2SV a username/password combination initiates the authentication process, where the authenticating server sends the user an e-mail message containing a verification code.

The second step of verification assumes that the user knows: 

  1. The e-mail address associated with the account being logged into
  2. The credentials to that e-mail account

If an attacker were able to gain access to this second step (either through interception in the case of SMS or compromised account credentials), they would also be able to access the originating system.

While 2SV increases the necessary steps to compromise the original target, the benefit is nullified if the user utilizes the same credentials across multiple platforms. It is significantly more difficult for an attacker to obtain access to an account that, for example, requires physical possession of a device to verify the legitimacy of a login attempt.

The added bonus of using a security key or mobile authenticator app for multi-factor authentication is that, assuming you login on your desktop/laptop and verify on your phone, you’re also utilizing an out-of-band method of authentication!

n.b. NIST SP 800-63B classifies the use of PSTN/SMS as a restricted method for out-of-band verification due to the threat vectors associated with it (i.e., social engineering, cloning, endpoint compromise, etc).