Two-factor vs. two-step authentication - what is the difference?

These expressions get thrown around a lot, but it is not something that should be confused - and here's why.

Unless your password is password1234 and you wrote it on a post-it note and attached it to your monitor, you probably have come across phrases like two-factor or two-step authentication in your quest to make your online logins as secure as you possibly can. These expressions get thrown around a lot, but it is not something that should be confused - and here's why.

 

What is two-factor authentication?


Two-factor authentication refers specifically and exclusively to authentication mechanisms where you have two authentication elements which both fall under different categories like “something you have”, “something you are”, and “something you know”.

 

What is two-step authentication?


Two-step or multi-step authentication requires two physical keys, or two passwords, or two forms of biometric identification is not two-factor. These steps to prevent your data stolen are, of course, necessary, as Gmail's two-step authentication shows. You provide the password you have set (and hopefully memorized), and you also prove a one-time password that is displayed on your phone. As far as security is concerned, however, your phone is not "something you have", but "something you know", since the key to the authentication isn't the device itself, but rather the information that is stored on the device. This, nonetheless, could, in theory, be copied by an attacker without them having to steal anything physical.


Two-factor or multi-factor authentication requires your attacker to engage in two different types of theft in order to impersonate you: first, your knowledge, and second, your physical drive, for example.


Therefore, the type of multi-step authentication that is provided by Google, Facebook or Twitter is still strong enough to thwart most attackers, but from a purist point of view, it technically isn’t multi-factor authentication.


So, what does this mean for the average Jane and Joe? If a service offers either two-step or two-factor authentication, you should definitely enable it, but the bottom line is that being aware of the differences will help you understand how secure your different accounts truly are.

Guides, cheatsheets and tips about the increasingly important role of images in modern web design. Follow me on Twitter and Facebook too, for more handy content!

You might also like
Referral source URLs for Google Images updated
Shardimage.com 1 min read
Google decided to roll out a new referrel URL that is specific to Google Images over the course of the next few months.
PNG paints no gloaming
Shardimage.com 1 min read
As an extension it is commonly used as .png. It is one of the most widely used file formats used for images among jpg and...
PNG or JPG - which one should I use?
Shardimage.com 2 min read
If you take a minute to think about what you are doing and what your needs are, you can easily choose between these (or...