Simple Questions: What is Two-Step Verification or Two-Step Authentication?

In recent years a new security concept has made lots of headlines - two-step verification or two-factor authentication. It all started with Google enabling it for its users and since then, many companies followed their example, including Microsoft and Facebook. If you would like to understand what two-factor authentication is, how it works, why you should enable it and where, read this article. You won't be sorry you did!

What is Two-step Verification/Two-factor Authentication?

Two-step verification is a security process that involves two stages for verifying the identity of a person or entity that is trying to access a service of any kind (e-mail, social networking, banking, etc). This concept is also named two-factor authentication and it requires two or more of these three authentication factors: a knowledge factor, a possession factor, and an inherence factor.

Traditional verification involves only one ore two of the three factors mentioned earlier. For example, if you want to use a digital service like e-mail, traditional verification involves knowing the username and the password. As we all know, knowledge can be stoled in a variety of ways and people can learn both your username and password, use the same services as you do for all kinds of purposes and pose as you.

In the real world, traditional verification may involve the knowledge factor and the possession factor. For example, when you go to an ATM to get cash, you use your debit or credit card (possession factor) and the PIN (knowledge factor). However, both the PIN or the information on your credit card can be learned in various ways and unauthorized parties can make online transactions using your money. That's why the 3-D Secure concept has been developed to provide an additional security layer for online credit and debit card transactions.

When using two-step verification in the digital world, a third factor is added: the possession factor - usually your smartphone or mobile phone. This device is used for the second stage of verifying your identity. For example, when you sign-in to your email account, you first provide your username and password. Then, you are asked to provide a time-based password that expires in 30 seconds. This password can be sent to your mobile phone via SMS or can be displayed by an authenticator app like Google Authenticator or Microsoft Authenticator.

Some companies and services will also provide physical authentication devices that continuously generate the codes you need to use to finalize the verification process. For example, many banks provide physical devices for two-step verification, so that you can access your bank account online. Also PayPal does this for a small number of countries, including the US.

How Does it Work?

The implementations for two-step verification are many and we won't go into details about all of them.

The most popular implementation is Google's approach based on the TOTP - Time-based One-time Password Algorithm. When two-step verification is enabled for your account, a special server generates a new password/code once every 30 seconds. The device sharing the password with you needs to be synchronized with the server, so that the code you enter during the second authentication step matches the one on the server. If the device sharing the password is out of sync, you cannot finalize the verification of your identity.

This algorithm is the most popular one found online. Many companies use it, including Google, Microsoft, Facebook, Evernote, Dropbox, Wordpress, MailChimp and Lastpass.

Another popular approach is the one used by banks and credit card providers. It is named 3-D Secure and it is used for approving financial transactions that are made online. This method of two-step verification involves three entities: the domain of the merchant or the bank to which money is being paid, the domain of the bank which issues the card being used and the infrastructure that supports the 3-D protocol.

This protocol uses only secure SSL connections for making online transactions and, in order for a transaction to be approved, you need a special password, alongside your name and credit card details. This password may be temporary and time-based or it may be permanent and set by you, the user. Another important aspect is that this password is not stored by the merchant or the bank to which money is being paid. The password is known only by the servers providing the infrastructure for the 3-D protocol. Therefore, if the merchant is hacked, hackers can't get your 3-D Secure password.

Why Do You Need Two-step Verification?

The main reason why you should use two-step verification is to protect yourself. By using this additional layer of protection you make it harder for unwanted parties to access your identity online and steal personal or financial data.

When using 3-D Secure for financial transactions, you make it harder for hackers to steal your money. It is very easy for them to copy your card details but they will have a hard time getting your 3-D Secure password.

When You Should Use Two-step Verification?

Adding an additional authentication step is annoying for everyone but necessary in order to keep our data private. I highly recommend that you enable and use two-step verification for the following types of services:

  • E-mail - your Inbox stores the biggest amount of personal data out of all your online accounts. People can spy on your e-mail history, learn the username for your banking and PayPal accounts, learn more about your work, your relationships and many other important details. Securing your Inbox is the first thing you should do.
  • Online banking & financial transactions - if you do online banking, if you purchase stuff from Amazon, eBay or other online shops, you must secure your credit or debit card. Ask your bank about 3-D secure and the two-step verification options they offer, enable them and use them.
  • Storing your passwords - many security conscious people use services like LastPass, Roboform or KeePass. Securing them is crucial. If your account password is stolen, unauthorized parties have access to all your passwords and can do a lot of harm to you.
  • Social Networking - we store lots of personal data on our Facebook account and on other social networks. If someone else gets access to it, they will learn many things you would rather keep private. For example, if you have a jealous partner, they may already know your Facebook password and keep an eye on what you do. Protect yourself and enable two-step verification.


I hope you found this guide useful. If you have any questions or issues with understanding how this concept works, don't hesitate to leave a comment below.