Messente avatar logo

What is 2-step verification and why should you care?

- 5 MIN READ - 11 Feb 2015

One of the key trends of 2015 for web apps and services will likely be a much wider adoption of 2-step verification.

In itself it’s not a security measure based on any new technologies and it is something that is already used by some service providers handling extremely personal information. Google and Facebook to just name a few.

To put it simply 2-step verification builds an extra layer of security on top of your existing account verification system. In addition to the regular user name and password a user is given a unique one time password or PIN code generated for this specific session only. The password has to then be entered correctly to log in.

This makes it much more difficult for any attacker to impersonate someone else and access his accounts or resources as simply getting a hold of your regular password and user name will not be enough.

How are the one time passwords delivered?

There are a few different ways:

E-mail

This is mostly used during the sign up process to make sure the e-mail address you claimed as your user name actually belongs to you. The reason why this is not widely used as a verification tool later on is that e-mail is generally not considered secure enough for password exchange. Also there is a high risk that in case someone has learned your passwords for any app, he has done it though gaining access to your primary e-mail account in the first place.

PIN code generating device

Used mostly by banks this verification method needs you to have a separate physical PIN or password generator which makes the whole process reasonably secure. This method however has a few major shortcomings – distribution and the cost of the physical devices being the most crucial ones.

Using mobile phone and SMS

The main reason this is the method used by Google as well as a few others is that it solves the security issues presented by e-mail and distribution/cost issues which come with dedicated password generating devices. At the same time it involves another physical device by making use of your phone, completely separating the two steps of the verification process.

Whenever a user wants to set up a mobile 2-step verification for an account, he has to tie his phone number to the account when setting it up and all one time passwords will be delivered to his personal number in the future.

Why should I care?

Phone numbers becoming an increasingly bigger part of our formal identity is an important trend for both web based service providers as well as the users.

General passwords are vulnerable

Leaks on a major scale have become more frequent last year. As data security keeps evolving, unfortunately so do methods of data theft. So leaks are unlikely to disappear. 

On the other hand the number of passwords people have as part of their everyday life increases year by year. As a result we are re-using passwords, creating them to be memorable and therefore vulnerable.

Users pay more and more attention to data security

If we are asked whether we would want our personal data to be 100% secure the answer is almost always yes. In practice people would sacrifice some security for added convenience. The question is to which extent.

Already now we would not trust a bank whose online banking environment only uses a regular password. The thought alone that the only thing standing between a hacker and my money is knowing the name of my goldfish would make me take my business elsewhere.

*****

Coming back to the very beginning of this post it is believed that 2015 will bring about the tipping point in adopting mobile 2-step verification driven by the increased concern for the security of personal data as well as resources.

In some cases is even predicted that 9 out of 10 service providers will embrace it as the new account security standard this year. In any case it is safe to say it will be not only used by financial institutions but all services (B2B or B2C) where a considerable amount of damage could be done by misusing your account.

Lauri Kinkar

Lauri Kinkar - CEO

Lauri makes sure the company keeps moving in the right direction. His spare time is divided between motorcycle trips, floorball and spending time with his kids.

How we help with the regulations of global messaging

26 Jun 2017

Forgoing the need to integrate network operators everywhere you need messages delivered is one of the main advantages of using a global messaging platform. Each connection includes legalities, which includes reviewing several agreements and negotiating terms, and technical tasks, like setting up the connections. So, a single company going through this process on their own would invest a lot of time doing things that have already been done by a messaging platform. Also, the company would end up with higher pricing from network operators, as it has much less traffic.

Lauri Kinkar

Lauri Kinkar

Your sales lab time is scarce

20 Jun 2017

In the series about sales research, I touched upon allocating about 30% of your research time on finding new ideas and possibilities around sales tactics. But how do you actually do it and what do you look for?

Uku Tomikas

Uku Tomikas

An open letter to financial institutions from Yuriy

09 Jun 2017

To the bank, credit card company, and investment firm I work with: I trust you. I really do.

If I didn’t, I wouldn’t put my hard-earned money in your hands. While I’m not a Certified Financial Analyst, I am financially savvy, so I understand that we have a mutually beneficial relationship. From a high-level, banks use the money I deposit to sell loans and invest in other financial instruments. Credit card companies make money on interest charges, other fees, and transaction fees from merchants. The brokerage firm makes money through fees on my account. On the other hand, all I expect is that you are honest about your services, provide returns, and keep my money safe.

Yuriy Mikitchenko

Yuriy Mikitchenko

Start sending messages to

for € N/A

Contact us