A Brief Guide to Two Step Login

Two step login is a security process used by many websites and apps to prevent unauthorized access to online accounts containing sensitive data. Also known as Two Factor Authentication (2FA), Multi Factor Authentication (MFA), or Two Step Verification (2SV), the security process requires you to enter something you know (usually a username and password), and an additional verification code sent to – or generated by – a secondary device.

The objective of two step login is to prevent bad actors accessing accounts with credentials stolen in a data breach, hacked using brute force, or acquired in a phishing attack. One recent compilation of leaked credentials included 8.4 billion stolen passwords – and although many of the passwords will have been changed since they were stolen, there are likely billions of username and password combinations in the compilation that can still be used to access online accounts.

Due to the risk of online accounts being accessed without authorization, many banks and other financial organizations require customers to use two step login in addition to a username and password when logging into an online account – especially when logging in from an unrecognized device or location. Many other organizations provide the opportunity for customers to better protect (for example) email, online shopping, and social media accounts with two step login.

The Different Types of Two Step Login

The most common way in which two step login works is that a customer starts the login process by entering their username and password. The website or app sends a One-Time Passcode (OTP) to the customer´s mobile phone via SMS or email, and the customer enters the code in order to access the account. One-Time Passcodes can be “time-based” (TOTPs), which means they only work for a limited time. If they expire, the customer must start the login process again to generate a new TOTP.

While SMS and email two step login is better than no two step login, it´s not the most secure security process. Bad actors have used SIM hijacking and email phishing to acquire OTP codes and access users´ accounts; and- although these events are rare – security experts recommend the use of authenticator apps or authenticator keys for two step login. There is also a small – but growing – number of accounts that support biometric logins using a fingerprint, facial ID, or voice recognition.

Authenticator Apps and Authenticator Keys

Authenticator apps also use TOTPs to grant access to online accounts, but work in a more secure way. When you set up an authenticator app with a website, the website generates a secret key which is saved by the app – usually by scanning a QR code. Then, when you next log into the website, the app generates the TOTP code by combining the secret key generated by the website with the current time. You simply enter the TOTP code displayed on the app.

Authenticator keys are hardware devices with a unique code built into them. To authenticate your ID, you simply insert the authenticator key into your device (some also work remotely via Bluetooth) and tap a button on the key when prompted by the website. Authenticator keys have multiple advantages over TOTPs sent to – or generated by – a mobile device inasmuch as they are more secure and don´t need a network or Wi-Fi connection to function.

Two Step Login is Not Infallible

The infallibility of two step login is not solely attributable to SIM hijacking and email phishing. The fact that you need a secondary device can also be a problem if you lose the secondary device or it fails to work when you need it – for example, if your mobile runs out of battery power. Furthermore, the threat of email phishing van be mitigated by using a password manager such as Bitwarden that matches passwords to URLs so passwords do not auto-fill on phishing sites).

To protect against being unable to access your accounts if you are unable to access your secondary device, websites and apps provide you with a recovery code when you first enable two step login. You should make a copy of your recovery code as soon as you enable two step login because you won´t be able to access the code if you are locked out of your account. The unique code is not time-based but is for one time use only and will change with each use.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news