What is Two-Step Verification and Why You Should Start Using Them

google 2 step

This post is part of the series, SmallBusiness.com Guide to Business Computer and Tech Security: Advice, alerts and information about digital security threats faced by small businesses. You can browse other posts in the series below.

  1. IRS Issues Urgent Warning to Small Businesses: Beware of W-2 Phishing Scam Return | 2017

  2. Lynda.com Alerts 9.1 Million Users After 55,000 Accounts Are Breached | December 2016

  3. What Does HTTPS Mean? And Why a Small Business Website Needs the ‘S’

  4. Yahoo Security Breach is Another Reminder of Why Password Protection is Critical to Your Business

  5. Homeland Security Tips for Choosing Harder to Hack Passwords

  6. Passwords Are Stolen Everyday; How to Protect Yours From Being One of Them

  7. How to Recognize and Avoid an Attempt to Crack Your Two-Step Verification Passwords

  8. How Voice Recognition Software is Being Used to Detect Cyber Criminals

  9. How to Avoid a New Cyber Attack Attempting to Access Small Business Bank  Funds

  10. Seven Resolutions for 2016 That Will Help Protect Your Small Business Computers

  11. Top Ten Free Antivirus Utilities For Your Small Business | 2016

  12. Most Small Businesses Have No Cyber Attack Response Plan

  13. If Your Business Bank Account Gets Hacked, Your Bank May Blame You

  14. Why You Should Still Use a Password Management System, Even if You Heard One Was ‘Hacked’

  15. Advice From Google on Avoiding Scams Directed at Small Businesses

  16. More Tips for Actively Managing Your Passwords

  17. What Small Business Customers Should Know and Do About the JPMorgan Chase Cyberattack

  18. How Hackers Use ‘Social Engineering’ and How to Prevent It

  19. Ten Tips From the FCC for Improving Your Small Business Cyber Security

  20. Password Protection Advice from SmallBusiness.com

  21. Ebay Asks 145 Million Users to Change Passwords

  22. What is Two-Step Verification and Why You Should Start Using Them

  23. How (and Why) to Use a Password Management Application

  24. How to Reduce the Odds of Being Hacked While Using Public Wifi

Recently, we explored password management services and how they can help provide security against hackers and other cyber criminals who attempt to break into your online business accounts. Another security measure some of the most popular (with users and hackers, alike) online services are adding as an additional layer of security beyond usernames and passwords is called, among other names*,  Two-step verification.

While the term may sound overly techy and confusing, the concept is something we’re all familiar with as we’ve used it for decades–every time we’ve used an Automatic Teller Machine (ATM). With an ATM, the two-step process to verify that we are the account holder works like this: (1) We insert a physical card and (2) enter a PIN code.

The three types of verification

When talking about multiple-step verification processes, it’s easier to understand if you know what security experts call the various types of ways, or “factors,” that are used in verifying we are who we say we are. The three most common factors are:

  • Knowledge factor – Something only the user knows (e.g., password, PIN, pattern);
  • Possession factor – Something only the user has (e.g., ATM card, smart card, mobile phone)
  • Inherence factor – Something only the user is (e.g., biometric characteristic, such as a fingerprint)

A two-step verification uses two of these and a multi-step verification can use all three, multiple times.

How Two-step Verification Works With Google, Twitter and Other Online Services

For most of the history of the web, consumer accounts, including banking and other sensitive data, have been secured with a knowledge factor only (a username and password). Certain corporate and governmental agencies have used possession factors in the form of physical devices called “tokens” that can be inserted into a device’s USB port. And the use of finger-print recognition on newer models of the iPhone points the way to inherence factor security tests.

Recently, however, sites like Google and Twitter have begun to use a mobile phone as a possession factor in much the same way as “tokens” have been used. To log into an account, you must enter (1) your username and password, and (2) a temporary pass-code that is  sent via text-message (SMS) after you enter your correct username and password. (Google, however, has some secondary ways, including some “backup codes” if your mobile phone isn’t handy.)

It’s just that easy, but you need to remember…

It’s incredibly easy and fast to use the text-message type of two-step verification. Do what you already do, and merely add a few seconds extra to receive and enter your temporary code.  Compared to the expense and hassle of dealing with the aftermath of being hacked, it provides an incredible return on the investment of a few seconds of your time. Note: You need to remember, you must have your phone or, with Google, a backup code, with you when you want to access your account.

Online services with Two-Step Verification

On a related SmallBusiness.com/WIKI entry, we will update this list.

*Different names, acronyms and variations of the concept of two-step verification include: multi-factor authentication, two-factor authentication, two-step verification, TFA, T-FA or 2FA

(List of two-verification sites via: Evan Hahn)

(Illustration: Google)