What is two-step login?
Two-step login — known more formally as two-factor authentication — is a mechanism whereby the user needs to present two pieces of information in order to log into a service. Best practice dictates that these two pieces of information represent something you know (formally, a knowledge factor) and something you have (formally, a possession factor).
Lately, it has become common for services to use the following two steps for login:
- Password — something you know
- Text message code — something you have
The problem with this logic is that strictly speaking, a code that you receive via text message isn't something you have. Rather, it is something you receive and the delivery of a text message can be intercepted.
That's the bad news.
The good news is that other solutions do exist that are far more secure and don't depend on the delivery of a message to you. Two of the most popular are:
Although the first of these is a mobile app (for iOS and Android) and the second is a small, physical device intended to be attached to your key chain, the idea is the same: they generate a new code every 10-20 seconds, the same code that is generated on a Google or RSA server somewhere else. The result is that nothing needs to be delivered to you, thus avoiding the risk of interception.