This post is part of the series, SmallBusiness.com Guide to Business Computer and Tech Security: Advice, alerts and information about digital security threats faced by small businesses. You can browse other posts in the series below.
Recently, we explored password management services and how they can help provide security against hackers and other cyber criminals who attempt to break into your online business accounts. Another security measure some of the most popular (with users and hackers, alike) online services are adding as an additional layer of security beyond usernames and passwords is called, among other names*, Two-step verification.
While the term may sound overly techy and confusing, the concept is something we’re all familiar with as we’ve used it for decades–every time we’ve used an Automatic Teller Machine (ATM). With an ATM, the two-step process to verify that we are the account holder works like this: (1) We insert a physical card and (2) enter a PIN code.
The three types of verification
When talking about multiple-step verification processes, it’s easier to understand if you know what security experts call the various types of ways, or “factors,” that are used in verifying we are who we say we are. The three most common factors are:
- Knowledge factor – Something only the user knows (e.g., password, PIN, pattern);
- Possession factor – Something only the user has (e.g., ATM card, smart card, mobile phone)
- Inherence factor – Something only the user is (e.g., biometric characteristic, such as a fingerprint)
A two-step verification uses two of these and a multi-step verification can use all three, multiple times.
How Two-step Verification Works With Google, Twitter and Other Online Services
For most of the history of the web, consumer accounts, including banking and other sensitive data, have been secured with a knowledge factor only (a username and password). Certain corporate and governmental agencies have used possession factors in the form of physical devices called “tokens” that can be inserted into a device’s USB port. And the use of finger-print recognition on newer models of the iPhone points the way to inherence factor security tests.
Recently, however, sites like Google and Twitter have begun to use a mobile phone as a possession factor in much the same way as “tokens” have been used. To log into an account, you must enter (1) your username and password, and (2) a temporary pass-code that is sent via text-message (SMS) after you enter your correct username and password. (Google, however, has some secondary ways, including some “backup codes” if your mobile phone isn’t handy.)
It’s just that easy, but you need to remember…
It’s incredibly easy and fast to use the text-message type of two-step verification. Do what you already do, and merely add a few seconds extra to receive and enter your temporary code. Compared to the expense and hassle of dealing with the aftermath of being hacked, it provides an incredible return on the investment of a few seconds of your time. Note: You need to remember, you must have your phone or, with Google, a backup code, with you when you want to access your account.
Online services with Two-Step Verification
On a related SmallBusiness.com/WIKI entry, we will update this list.
- Apple: How-to
- Charles Schwab: How-to
- Citibank: How-to
- Dropbox: How-to
- Etsy: How-to
- Evernote: How-to
- Facebook: How-to
- GoDaddy: How-to
- Google: How-to
- Mailchimp: How-to
- Microsoft: How-to
- Norton: Info
- Office 365: How-to
- PayPal: How-to
- Social Security: How-to
- Twitter: How-to
- WordPress.com: How-to
*Different names, acronyms and variations of the concept of two-step verification include: multi-factor authentication, two-factor authentication, two-step verification, TFA, T-FA or 2FA
(List of two-verification sites via: Evan Hahn)