Two-factor authentication and two-step verification are different things.
They are remarkably similar in concept, the difference being the trust model.
In any security system, trust is a crucial element to understand. What can be trusted, what cannot be trusted and how do you mitigate risks associated with the elements you cannot trust (there are shades of grey too – things you trust a bit, but not fully).
Two-factor authentication and two-step verification are both authentication systems designed to increase the level of trust in a username/password exchange.
Rather than simply rely of the user indicating knowledge of a password (which an attacker can steal or guess) the concept is to rely on two independent items of information. For example, a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.
With two-factor authentication there should be complete independence. One factor cannot be influence or gained by knowledge of the other. This is where devices such as a smart card or authentication token are used.
- What about tokens generated on a phone?
- What about SMS messages sent to a phone?
The question here relates to independence.
Certainly there are two steps – hence two-step verification. But are they independently providing two factors? Let’s explore a use case…
I try to log onto a secure site from my smart phone. I provide my username, followed by password. The service provider sends a code via SMS to the same smart phone. I provide the code from the SMS to the login screen (two steps).
What happens when a hacker breaks my phone? They can intercept my username / password and SMS – it’s all in one convenient place. Same if they steal my phone.
The same scenario is true for tokens generated on the phone.
Hence, these mechanisms are not two factor – they fail the independence rule.
Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen the attacker can still become you, just as they could in the password only world.
Where possible, for added security try to use genuine two factor authentication.
A half-way house I use (and I am waiting for the flames as a write), never login to a site I care about from my smart phone – if that phone is part of the authentication chain – i.e., I try to maintain some level of independence. Not great, but the best available today.