Authentication: Two-Step Verification

So far, I’ve realized the following

  1. I have way too many identities
  2. Password complexity rules are implemented incorrectly
  3. Multi-factor authentication will provide additional authentication security

So let’s look at one of the most basic forms of MFA. Unfortunately, I’ve seen this take on many names:

  • Two-Step Verification
  • Two-Step Authentication
  • One-Time Password

After providing your username and password for certain Web/SaaS-based apps, you are given a screen like the following:


Once you enter this verification code, you are successfully authentication.  From the user perspective, this is a pretty easy way to implement MFA.  However, this is NOT multi-factor authentication.

With 2-step verification, the verification code can either be sent to your phone as an SMS message or to your email.

Let’s think about our authentication factors for an app utilizing 2-step verification.


  1. Password: Something you know
  2. 2-Step Verification (select 1)
    1. SMS: Something you have
    2. Email: Something you know

If the user selects email to receive the verification code, we only need the “something you know” factor.  “Something you know”  is the factor used for our initial password. As we know, many users reuse passwords across sites.

Although 2-step verification appears to provide multi-factor authentication, it is really only providing 2-steps to our authentication process.

Authentication Blog Series: 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.