2-Step Verification: Make the Right Tradeoff


People aren’t good at creating strong passwords and remembering them. Far too many people use obvious choices like “password” and “123456.” As a result, criminals can break into accounts and steal information or install malware. Surely there’s a better way.

One way to improve security is to require a second piece of information, in addition to the password. That’s called two-step verification. There are a lot of ways to do this, and people are always devising more. All of them involve a tradeoff. They make it harder for unauthorized people to get in, but it’s also a bit less convenient for authorized users to get in.

The best choice depends on the account’s purpose. For a low-value account, like a discussion board, the extra inconvenience probably isn’t worth it. For one that gives access to bank accounts or government secrets, the safety of the additional step is worth the trouble.

Let’s look at some of the popular methods of getting two-step authentication.

  • SMS confirmation. This is the most popular approach. Most people have cell phones with SMS messaging and carry them around all the time. The messages are relatively secure. Retyping a code isn’t a lot of trouble. Still, people can lose or forget their phones. If they need them to get into their work accounts, employees can be locked out till they get the phone back. SMS confirmation is vulnerable to “smishing” schemes that trick people into giving the code to a third party.
  • Biometric confirmation. A fingerprint or an iris scan can provide confirmation. People lose fingers or eyes less often (fortunately) than they lose phones. The check is even less trouble than entering a code from a text message. However, it isn’t suited for all situations. Users have to log in from hardware that can get the image or fingerprint in a usable form. In practice, this still means they have to remember their phones. Another disadvantage of biometrics is that they aren’t revocable. You can change your password, but you can’t change your fingerprints.
  • Physical authentication keys. A “dongle” that the user plugs into a computer is a good choice for many cases. It’s best suited for important accounts that someone regularly uses, such as work accounts. Dongle authentication is more secure than SMS authentication. It restricts the user to devices with the appropriate connector (usually a USB port) and software. A user could forget to unplug the dongle after leaving, in which case the machine becomes vulnerable.
  • Email. This works like SMS authentication, except that the code is emailed to the user. Since people can check their email from almost anywhere, this is a flexible option. It has huge disadvantages, though. Email is insecure, and it sometimes takes a long time to arrive or gets blocked as spam. Employees are unproductive till they get the confirmation code.
  • Application-based confirmation. Applications like Google Authenticator provide a second authentication step with an application-generated code that has a short lifetime. The application sets up a shared secret with the service in advance, so that the service can recognize a valid code without additional communication from the app. This approach provides a strong level of security. It requires the service to support the application, and the user has to install it. As with some other approaches, users who don’t have their phones with them are stuck.
  • Secret questions. When the user first sets up an account, the system asks for answers to questions like “What is your favorite movie?” or “What was the first school you attended?” There’s hardly anything to say in favor of this approach. The answers to many of these questions can be found with a little social media research. People may not remember what their favorite movie was two years ago. Some people lie to provide better security, but then they have to remember their lies, which effectively are just additional passwords.

A business that wants to improve security should certainly consider two-step verification for its employees and perhaps its customers. Which option is best depends on the situation. Management needs to study the advantages, risks, and inconveniences for each case. How important is safety, weighed against convenience? What problems are likely to arise? Just picking an approach won’t produce the best results. A careful study of the tradeoffs is necessary.