Hey guys. Today I’ll be discussing a security feature used by most online platforms- Google, Twitter, Facebook, LinkedIn, Paypal etc: Two Step Verification. Two step verification has some advantages when Google uses it for its platforms, but does it have more advantages that disadvantages? It is time to truly find out about Google’s Two step verification security feature!
WHAT TWO STEP VERIFICATION IS ALL ABOUT
Two-step verification is sometimes confused with two-factor authentication (2FA), which also involves two usually sequential methods used for verification. However, in contrast with 2FA processes, the methods in two-step verification can belong to the same category of authentication factors, and the methods used for 2FA aren’t necessarily sequential.
Furthermore, verification and authentication are not completely synonymous. Verification can be part of a real-world process — providing a driver’s license as proof of identity, for example. Authentication is considered an adaptation of verification processes designed to protect automated and online systems. Nevertheless, many two-step verification products and services are also examples of two-factor authentication. Google’s 2-Step Verification service, for example, involves the usual password (something the user knows) and a code sent to the user’s device (something the user has). Most other current web-based user authentication systems described as two-step verification also qualify as two-factor authentication.
WHY TWO STEP VERIFICATION IS NECESSARY
Two step verification, aka two factor verification is very important.
The default for all user logons whether local or remote has always been reliant upon the humble password. In the past this has been “good enough” security, however the modern connected world that we work and conduct our business today, a password is now the weakest link. All to often reports in the media explain about passwords that are stolen, either electronically or by social engineering techniques. Passwords that are easily guessable, passwords that can be sniffed or captured by hardware of software keyloggers.
Viruses and malicious code all play there part in trying to obtain a users passwords, but the biggest concern is how do you know that your password has been compromised. All you security logs will show is that a successful logon occurred. As everyone us online most of the time, any of these common actions could put you at risk of having your password stolen:
- Using the same password on more than one site
- Downloading software from the Internet
- Clicking on links in email messages
2-Step Verification can help keep bad guys out, even if they have your password. Imagine losing access to your account and everything in it. For example, When a bad guy steals your password, they could lock you out of your account, and then do some of the following:
- Go through – or even delete – all of your emails, contacts, photos, etc.
- Pretend to be you and send unwanted or harmful emails to your contacts
- Use your account to reset the passwords for your other accounts (banking, shopping, etc.)
How it works
Encryption protects the data in your cloud in case someone steals your cloud password. When the culprit logs into your Google Drive, for example, he will only see gibberish and he will not be able to open any files, due to the encryption. Additionally, your cloud provider and its employees cannot access your data if they tried to, or are forced to by authorities. In case of a breach at the cloud provider you are safe as well. 2SV, on the other hand, protects you from a different threat model. What if someone gets access to your username and password? Then he could access your data. However, if you protect your Google account with 2sv, this is not possible, either. The culprit would need the password, username, and the phone of a user to get inside an account.
With the combination of normal login credentials and 2SV, your business is protected from two of the most common threat models that are often connected: data breaches and user credential theft and misuse.
Signing in to your account will work a little differently
- You’ll enter your passwordWhenever you sign in to Google, you’ll enter your password as usual.
- You’ll be asked for something elseThen, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port.
Now, let us take a look at the advantages (pros) and disadvantages of Two step Verification (cons). Continue the ride with me below:
Pros of Two Step Verification
The advantages of 2 step verification includes:
Reduced Data Theft
According to a research by ‘Javelin Strategy & Research’; in 2012, 12.6 million people suffered identity theft.
Identity theft has become a serious issue in last few years. Through ID theft, a thief can use your name to break into your accounts and can make huge purchases, thereafter leaving a ton of debt for you to pay. 2SV is one of the most effective ways of reducing cyber crimes such as identity theft, hacking and phishing. RBI has already instructed banks and financial institutions to offer 2 factor authentication to customers. Banks including HDFC, Axis Bank and Union Bank have featured 2FA on their online transactions. Customers need to activate it for their online transactions that involve the use of credit card or debit card. Once activated, the 3D secured payment gateway demands an OTP to complete the transaction and this unique OTP is sent only to the registered mobile of the user. Since only the user possesses the device, the risks of hackers using your credit card details are reduced.
Since a password is more likely to be lost or forgotten, many people remember them by writing down therefore exposing them to hackers. 2FA effectively deals with this problem by providing a unique OTP (one time password) for every transaction or log in attempt. With 2 factor authentication you are least bothered about the first factor (password) as the second factor (OTP) ensures a strong line of defense against fraud and scams.
3. Sign in will require something you know and something you have
With 2-Step Verification, you’ll protect your account with something you know (your password) and something you have (your phone or Security Key).
4. Verification codes made just for you
Codes are uniquely crafted for your account when you need them. If you choose to use verification codes, they will be sent to your phone via text, voice call, or Google’s mobile app. Each code can only be used once.
Which 2sv option should I be using? SMS or App?
That’s up to you! But let me explain the two methods further, separately: As I mentioned earlier, so many sites and services, including Amazon, Dropbox, Google and Microsoft, give you the option of using SMS or an authentication app. Twitter is the biggest example of a site that forces you to use SMS. If you have the choice, use an authentication app. Receiving codes via SMS is less secure than using an authentication app. A hacker could intercept a text message or hijack your phone number by convincing your carrier to transfer it to another device. Or if you sync text messages with your computer, a hacker could gain access to SMS codes by stealing your computer.
An authentication app has the advantage of not needing to rely on your carrier; verification codes are sent to your phone based on this shared secret and the current time. The codes expire quickly, usually after 30 or 60 seconds. Since an authentication app doesn’t need your carrier to transmit codes, they will stay with the app even if a hacker manages to move your number to a new phone. An authentication app also works when you don’t have cell service, another bonus.
Using an authentication app on the other hand, however requires a little extra setup but offers better protection than SMS. To set up an authentication app, you will need to install the app on your phone and then set up a shared secret between the app and your accounts. This is usually done by scanning a QR code with your phone’s camera. Once set up, however, an authentication app saves you the step of needing to enter a code; you simply tap on the app’s notifications to log into one of your accounts.
Disadvantages of Google’s Two Step Verification
I don’t know if I would call it a hassle, but 2FA does require an extra step when logging into your accounts. You’ll need to enter your password, wait for a code to arrive via SMS, and then enter that code. Or if you use an authentication app, you’ll need to wait for notification to arrive that you can then tap to verify it’s you. Let us run through the disadvantages:
- It is stressful.
- logging in during emergencies is almost impossible.
- It is still not 100% secure as a smart hacker can still intercept the verification code.
- When your phone is not with you, you cannot access your google account elsewhere.
- In case of network problems, the code would arrive late.
But if you think it is still worth it…
How To Enable Google’s 2SV
Head to Google’s 2-Step Verification page, click the blue Get Started button and sign into your account. You can choose to receive codes via text or a voice call. You can also set up and print backup codes, add a backup phone number and set up Google’s Authenticator app. You can also sign up to use Google prompt, which sends a notification to your phone that you can simply tap instead of having to enter a code. Read How to remove your identity from Truecaller