What Is Two Step Verification & How Does It Work?

On World Password Day (May 6, 2021), Google announced that it was automatically rolling out two step verification for its two billion users. But what is two-step verification, and how does two step verification work? Let’s see.

As more websites, apps and games are rolling out two step verification as part of their login processes, we must understand the concept behind this authentication method. Although many people (tech-savvy people and companies like Google included) use the term interchangeably with another authentication method, two factor authentication (2FA), there are conceptual and procedural differences between the two.

When we talk about authentication factors, this term generally refers to three categories of authentication methods:

Something you know (this is a knowledge-based factor — examples include passwords and one-time PINs or OTPs),
Something you have (this is a separate, tangible device such as a USB token or an authentication app you have on your smartphone), and
Something you are (this inherent factor typically refers to biometrics such as your fingerprint, a retinal scan, face ID, etc.)

In this article, we’ll answer the questions “what is two step verification?” and “how does two step verification work?” Part of this discussion will explore how two step verification methods use these authentication factors and how they differ from 2FA.

What Is Two Step Verification? 2SV Defined and Explained

Two step verification, or 2SV, is a method of identity verification in which an authorized user must complete two steps to authenticate successfully. For example, they could type in their account credentials (i.e., their usernames and passwords) but then be required to provide a second secret piece of information (such as a one-time PIN or a code they receive via email) that authenticates them as the legitimate user. Two-step verification takes traditional single-factor authentication and kicks its security up a notch.

Oxford dictionary defines verification as “the act of showing or checking that something is true or accurate.” As such, two step verification is one way to verify your identity in two steps, one in quick succession after the other. If the first step is successful, the system moves ahead for the second step to verify the identity.

Two step verification can either be:

Single factor 2SV — An example of this would be using your username/password as the first step and then an OTP you receive via an SMS text message.
Two factor 2SV — An example of this would be using your username/password combination as the first step and then a second factor (such as a randomly generated code from a cryptographic USB token) as the second step.

The following figure represents two step verification in general terms (we will look at the more technical aspects of 2SV later in the article).

An example of how two step verification works — This graphic is a basic visual representation of single factor, two step verification if you receive the OTP via an SMS message or email.

The above figure is an example of single factor, two step verification process. You complete the first step by entering your username and password. The second step requires verifying your identity by providing a secret code that you receive through your preferred method.

The language surrounding two step verification is a bit tricky as people often use the term interchangeably with two factor authentication in most instances — but there are key differences to know that generally differentiate these terms. We’ll speak more about the differences between these two step verification methods (single factor 2SV and two factor 2SV) here in the next section.

How Does Two Step Verification Work?

In general, two step verification is an authentication process where the user has to enter their username, password, and a verification code that’s generated by the system. The username and password are a part of the knowledge factor. The user must know both pieces of information to pass the first verification step.

The second component of two-step verification requires the user to provide the authentication platform’s second knowledge factor. This secret code is communicated to the user via another communication channel (such as via a SMS text message, email, or an authentication app). They must enter the correct verification code within the stipulated time to gain access to the system. Failing to enter a valid code within the specified time will result in a failed authentication attempt.

According to an article by Paul Moore, an information security researcher, consultant, and founder of Privacy Protocol, there are two types of two-step verification: single factor, two step verification and two factor, two step verification. We touched on this just moments ago, but now let’s explore that more in depth.

Breaking Down Single Factor 2SV and Two Factor 2SV

Two examples of one factor, two step verification methods include receiving a one-time PIN via email or SMS text messages. OTPs and emails are considered additional knowledge factors because they don’t require physical access to a specific device, and they’re not biometrics. That’s because text messages can be intercepted, and you can access email accounts from other devices.

Authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy, or physical devices such as USB tokens and smart cards, can also be used to access a secure system. This method is an example of two factor, two step verification because it requires physical access to a specified device that has the app installed, and that app requires cryptographic processes to generate the code.

Essentially, when two separate authentication factors (i.e., something you know and something you are) are used to secure the system, it becomes two-factor authentication. Therefore, we can say that, in some cases, two factor, two step verification is just another name for two factor authentication.

The following diagram is a visual representation of the two step verification protocol for the security of your system:

A diagram that breaks down two step verification (2SV) and how it works — A flowchart showing how two step verification works. This example is based on a diagram created by Paul Moore.

Two Factor, Two Step Authentication (Two Factor 2SV) vs Two Factor Authentication (2FA)

But how do you know when it’s two factor 2SV or 2FA? Moore describes the delineating factor as one relating to what happens on the backend:

“If the request simply lands and expects a Yes/No, it’s 2SV. If it lands and the device decides, based on some form of crypto actually on the device that the request is valid, that’s 2FA.”

Two step verification as a whole is a straightforward process that provides your business with a much-needed additional layer of security. It can be implemented almost immediately with minimal alterations in the existing systems. However, it’s important to cover two step verification as part of your organization’s employee cyber awareness training. Doing so will help make the transition and usage of this security mechanism easier for your users and more effective for your security.

What Happens If You Lose Your Password?

Whether you follow two-step verification or two-factor authentication, a password will typically be the first step and factor of authentication. A user must remember his username and password to gain access to his account. Usually, users are directed to use longer passwords, a combination of numbers, special characters, upper case, and lower-case alphabets.

Of course, remembering a bunch of unique passwords for different accounts can be challenging. NordPass observed that 80% of the people find password management difficult because they’re juggling many account usernames and passwords. In this scenario, it’s possible that a person might not remember the username and password for a specific account. What would happen if you lost your password?

Well, all the companies want to protect your account from fraudsters. However, they also want you to access your account with ease and efficiency. Most of the websites have a pre-defined process you can follow if you forget your password.

As an example, let’s consider how you reset your password for a Google account:

An example of Google's login screen with "Forgot password?" circled — A screenshot of Google’s login screen option for when you forget your account password.

If you forget your Google password, you might be asked to enter a registered email address or a phone number that can be used to send you a secret code. After you enter this information, you will receive a code generated for this specific purpose. You can enter this code, and you will be asked to set a new password. Your old password will cease to work. The following screenshot shows the code sent to your mobile. You can choose another way to receive the code for verification. You can also resend the code to your mobile device if you didn’t receive it the first time.

A screenshot of Google's Account Recovery tool — A screenshot that illustrates how to reset your Google password using their official Account Recovery reset form.

Some websites also have security questions selected by you. In case you forget your password, you will be asked to answer the security questions. If you answer these questions correctly, you will be permitted to reset your password.

What If You Lose Your Phone That’s Registered as a Second Verification Method?

If you lose your phone or it is stolen, you will not be able to carry out the second step of verification. In such a case, there are other options through which you can access your account. Let’s look at some of these ways using Google’s account recovery options as an example:

You can log in to the computer which is already registered. In two step verification, the registered devices will not be asked to follow the second step for verification. After you gain access to this device, you can change the second step for all other devices.
You can also use the backup security key as the second step of verification. This includes the answers to secret questions.
Google gives you Google prompts to recover your account. Simply follow the steps, and you will be able to reset your security code.
You will receive a verification code on that alternate email address. This process depends on you having a registered recovery email address tied to your account. If you do, then you can enter that code and access your account.
You must remove the lost phone from the trusted device list to secure all your accounts. After that, you can add a new trusted device to replace the stolen/lost phone.

A screenshot of Google's Account Recovery tool with an email verification code prompt — A screenshot of account recovery if you don’t have your mobile phone.

Now that we know what two step verification is and how it works, let’s explore some of the advantages and disadvantages of using it…

The Benefits & Drawbacks of Using Two Step Verification

With the increase in remote working, it has become crucial that the business system is protected appropriately. An employee working in an open environment might be me more susceptible to cyber threat. Two step verification adds another layer of security, meaning that it’s a more secure way to protect your account than using a traditional username and password combination alone. to the layer of security to the good old password. But there are other benefits of using two step verification as well. Let’s have a look at them:

Single Factor 2SV Can Save Time

The principal benefit of two step verification is the user can enroll the device and the location by using two step verification once, and after that, he will not have to use two-step verification on the enrolled device/location. This saves time as the user is not prompted to enter the second factor every time he needs to log in to the system.

Helps You Mitigate IT Security Risks & Reduce Related Downtime

On average, IBM observes that a data breach costs an affected business an average of $3.86 million. It also reports that the average cycle of a data breach was 280 days. On an average, the companies took 207 days identify the breach and further 73 days to contain the breach. That means, the IT systems/data were exposed for 207 days and once identified, it took another two-and-a-half months to contain it. Imagine having your systems exposed for 207 days! It can be catastrophic.

Improving the security of your authentication systems helps you limit your organization’s IT security risks due to credential-based cyber attacks and phishing scams. One way to improve your security is by following two step verification protocol for granting access to authorized users. Therefore, it is evident that two step security can help you maintain the productivity of your business.

Helps You Protect Your Organization’s Reputation

Data breaches are no laughing matter. Varonis conducted a survey of the reputation of companies after facing data breaches, and the numbers are staggering:

65% of the consumers lost trust in the organization following the breach.
80% of the consumers would defect from the business if their data was breached.

Hence, it’s crucial to save your business from any kind of data breach by making your users’ accounts more secure to help limit risk of exposure. Although there are no bulletproof methods to guarantee security, applying two step verification (in addition to the least privilege principle and access controls) can be the first step toward building a more secure future.

Limitations of Two Step Verification

Any method of security will have pitfalls, and thus two step verification also has some. Let’s look at the limitation of applying two step verification method for the security of your business systems.

2SV May Not Help If Your Mobile Device Gets Stolen

If a bad guy gets their hands on your mobile device, they can use it for malicious purposes. If you have access to both verification steps on your phone (e.g., if you’re using your mobile device as a second factor for the two factor, two step verification method), then an attacker could also access your verification methods.

One way around this is to use a separate device for a second factor (such as a cryptographic USB token).

Single Factor 2SV Isn’t As Secure As Two Factor Authentication Method

Two step security is definitely a better security protocol than protecting your system with the help of passwords alone. However, using two-factor authentication is a more secure method for protecting your system than a single factor, two step verification method.

Two factor authentication employs two different types of authentications before granting access. Hence, it is much more secure than two step verification that employs only one type of factor, twice, for authentication.

Final Thoughts on Two Step Verification and How It Works

Since cybercriminals are coming up with new ways to break into our systems, it becomes crucial for the good guys to stay one step ahead. Two step verification is just one way to validate the identity of the person before they can access their account. If you don’t protect what is yours, you might become an easy target for the bad guys as a small business owner.

Implementing 2SV throughout your systems will help you secure your IT systems and your data. But know that other methods offer greater security — such examples include two-factor authentication, multi-factor authentication (MFA), and even passwordless authentication methods (such as using a client authentication certificate).