With the rise in both remote work and cyber attacks (like phishing), stronger security controls have become top of mind. The terminology around these things, however, can be confusing at best. This article will help clarify the terms you should know and how they relate to one another.

Two-Factor vs. 2-Step vs. Multi-Factor

Two-Factor/Second-Factor Authentication

There’s often some confusion on this term but, to put it simply, two-factor authentication verifies something you know—usually your username and password— along with either “something you have” or “something you are”.

The something you have could be a number of different things: an OTP (one-time password, typically 6-8 digits) from your authenticator app or a key fob, a push verification done through your smartphone, or a USB security key you plug into your computer. Some people also include one-time codes sent to your phone over SMS or by email as two-factor authentication as well but, strictly speaking, those are a form of 2-step verification, as I’ll discuss below.

Two-factor authentication might also verify something you are: a biometric—such as your fingerprint or face—using a phone, computer, or external device.

2-Step Verification

The difference between two-factor authentication and 2-step verification is nuanced, as explained in this diagram. For example, one-time codes sent via email or SMS are, strictly speaking, 2-step verification, as getting those codes isn’t directly tied to something you have. An attacker can gain access to your email or intercept the SMS (see below).

Multi-Factor Authentication

Multi-factor authentication simply means verifying multiple (two or more) authentication factors. Two-factor authentication is actually a subset of multi-factor authentication. In high-security, real-world apps, you might require three or more different factors and require that they are different types (“something you know/have/are”).

#security #oauth #passwords #tokens #mfa #2factor authentication