Two-Step Login: Not Always as Safe as You'd Think

What is two-step login?

Two-step login — known more formally as two-factor authentication — is a mechanism whereby the user needs to present two pieces of information in order to log into a service. Best practice dictates that these two pieces of information represent something you know (formally, a knowledge factor) and something you have (formally, a possession factor). 

Lately, it has become common for services to use the following two steps for login:

  • Password — something you know
  • Text message code — something you have

The problem with this logic is that strictly speaking, a code that you receive via text message isn't something you have. Rather, it is something you receive and the delivery of a text message can be intercepted. 

That's the bad news.

The good news is that other solutions do exist that are far more secure and don't depend on the delivery of a message to you. Two of the most popular are:

Although the first of these is a mobile app (for iOS and Android) and the second is a small, physical device intended to be attached to your key chain, the idea is the same: they generate a new code every 10-20 seconds, the same code that is generated on a Google or RSA server somewhere else. The result is that nothing needs to be delivered to you, thus avoiding the risk of interception.

If you'd like to learn more about this problem and potential solutions, read this article by Andy Greenberg at Wired.