What Is Two-Step Verification - Why Passwords Alone Are Not Enough
A password relies on a single factor: knowledge. No matter how complex your password is, a single phishing attack can steal it instantly. Two-step verification (2FA) adds a second factor, such as possession or biometrics, so that even if your password is compromised, unauthorized access is blocked.
The three authentication factors are:
- Knowledge factor: Passwords, PINs, security questions - something you know
- Possession factor: Smartphones, security keys, smart cards - something you have
- Biometric factor: Fingerprints, facial recognition, iris scans - something you are
Two-step verification combines two or more of these factors. Strictly speaking, "two-factor authentication (2FA)" and "two-step verification" are distinct concepts, but they are commonly used interchangeably. See also our detailed guide on two-factor authentication.
SMS Verification - Convenient but Vulnerable
SMS verification sends a one-time code (typically 6 digits) to your phone number at login. It requires no additional apps and is easy to deploy, which is why many services adopt it.
However, SMS verification has serious vulnerabilities:
- SIM swapping: Attackers convince a carrier to transfer the victim's phone number to a new SIM. See our SIM swapping guide for details
- SS7 protocol vulnerabilities: The SS7 protocol underpinning the telephone network has design flaws that make SMS interception technically feasible
- Real-time phishing relay: Attackers use fake sites to capture codes from victims and relay them to the legitimate site in real time (Adversary-in-the-Middle)
- Malware SMS reading: Android malware can abuse SMS read permissions to steal verification codes
NIST classified SMS verification as a "restricted" authenticator in SP 800-63B (2016) and recommends migrating to more secure methods. SMS verification is better than nothing, but it is inadequate for high-security accounts.
Authenticator Apps - How TOTP Works
Authenticator apps generate a new 6-digit code every 30 seconds using the TOTP (Time-based One-Time Password) algorithm. The server and the app share a secret key (seed), and both derive the code from the current time and the secret key via HMAC-SHA1.
The TOTP flow works as follows:
- During registration, the server generates a secret key and displays it as a QR code
- The authenticator app scans the QR code and stores the secret key locally
- At login, the app computes HMAC-SHA1 from the secret key and the current UNIX timestamp (in 30-second intervals)
- A portion of the hash is extracted and converted into a 6-digit number (Dynamic Truncation)
- The server performs the same calculation; if the results match, authentication succeeds
Here is a comparison of major authenticator apps:
| App | Cloud Sync | Export | Open Source |
|---|---|---|---|
| Google Authenticator | Yes (Google account) | QR code transfer | No |
| Microsoft Authenticator | Yes (Microsoft account) | Cloud backup | No |
| Authy | Yes (encrypted) | Multi-device sync | No |
| Aegis (Android) | No | Encrypted backup | Yes |
Cloud sync is convenient for recovery when you lose a device, but if the synced account is compromised, all TOTP seeds are exposed. For maximum security, choose a local-only app and store encrypted backups separately.
Security Keys - The Strongest Authentication via FIDO2/WebAuthn
Hardware security keys (YubiKey, Google Titan Key, etc.) are authentication devices based on the FIDO2/WebAuthn protocol. They use public-key cryptography, with the private key locked inside the device, making them inherently resistant to phishing and man-in-the-middle attacks.
The WebAuthn authentication flow:
- Registration: The security key generates a public-private key pair and sends the public key to the server. The private key remains inside the device and cannot be extracted
- Authentication: The server sends a random challenge (nonce)
- The security key signs the challenge with the private key and returns the signature
- The server verifies the signature with the public key; if it matches, authentication succeeds
The reason security keys resist phishing is that WebAuthn incorporates the origin (domain name) into the authentication process. If the domain of a fake site differs from the legitimate one, the security key refuses to sign. SMS and TOTP lack this mechanism, leaving users vulnerable to entering codes on phishing sites.
Passkeys are an evolution of FIDO2 that allow smartphone biometrics to serve as a security key. Apple, Google, and Microsoft are all expanding support, and passkeys are expected to become the dominant authentication method.
Setup Steps for Major Services
The setup process varies by service, but the general flow is consistent. Be sure to also strengthen your passwords alongside enabling 2FA.
Google Account
- Go to myaccount.google.com and select "Security"
- Click "2-Step Verification" and register your phone number (first time only)
- Select "Authenticator app" and scan the QR code with your authenticator
- To add a security key, click "Add security key" and register your USB key
Apple ID
- On iPhone: Settings > your name > "Sign-In & Security" > "Two-Factor Authentication"
- Register a trusted phone number (verification codes via SMS or voice call)
- iOS 16.3 and later also supports security key registration
Amazon
- "Account & Lists" > "Login & security" > "Two-Step Verification Settings"
- Scan the authenticator app QR code and enter the displayed code to confirm
- Register a phone number as a backup method
Regardless of the service, always save the recovery codes (backup codes) displayed during setup in a secure location. Without them, you will be locked out if you lose your device.
Key Considerations When Enabling Two-Step Verification
Two-step verification is a powerful defense, but there are pitfalls to watch for during setup:
- Recovery code storage: Print them on paper and store offline, or save them in a password manager's encrypted vault. A smartphone screenshot alone will not survive a device failure
- Backup method planning: If you use an authenticator app, verify the seed migration process before switching devices
- Migrating from SMS: Move to an authenticator app or security key whenever possible. If you keep SMS as a fallback, do not rely on it as your primary method
- Full account coverage: Enable 2FA on all critical accounts - email, cloud storage, social media, and financial services. As a first step, check your current security posture with IP確認さん, which scores your connection security and identifies potential vulnerabilities
For a systematic approach to security, cybersecurity books are an excellent starting point.