The Types of Two-Step Verification

The Types of Two-Step Verification

Two-step verification is an important feature for keeping accounts safe. However, not all types of two-step verification are equally secure. While some provide very little protection against phishing, some will completely mitigate the risk of phishing in your company.    

SMS-based verification 

SMS-based verification works by delivering a one-time code with a very limited expiration period to the phone number associated with the account.  

This form of verification is considered the weakest, yet it is still the most popular. While SMS-based verification provides protection against credential stuffing, an elaborate attacker can still phish accounts, provided the attacker can perform the attack within the expiration period of the code. 

The delivery of codes via an SMS message is also susceptible to vulnerabilities within the mobile network. In 2017, hackers were able to intercept SMS messages via vulnerable SS7 protocol and withdraw large amounts of money from German bank accounts.  Furthermore, SIM cards can be replaced, or your phone number can be remotely transferred to a different SIM card by your mobile carrier. This is often exploited by hackers, who deceive telephone companies with leaked personal data 

Finally, SMS messages are only as secure as is your phone. For example, a rogue application that abuses the Android accessibility API or SMS API can steal your SMS messages.


SMS-based verification 



Cyber Resiliency Training

LIFARS interactive training modules deliver stimulating and engaging learning experiences to your employees, equipping them with the tools and resources they need to be successful active participants in the cybersecurity process.



App-Based Verification 

App-based verification is a great step-up both in practicality and security compared to the SMS-based verification. In this case, the second step is a mobile app, which either generates codes or sends push notifications. This solution usually does not require any form of mobile network / Internet connectivity or a company-issued phone number.  

Security-wise, it is not prone to SS7 vulnerabilities or any other mobile network-based vulnerabilities and the app itself is protected by the strong encryption provided by your phone. 

But just like the SMS-based verification, mobile apps are still vulnerable to phishing and can by bypassed by rogue applications. 


App-based verification


Disconnected Hardware Token 

Disconnected hardware tokens are dedicated devices with the sole purpose of generating one-time codes.  

Unlike mobile phones, they cannot be spied on by apps and are much harder to compromise in general. They often use tamper-resistant hardware, which makes then very difficult to clone 

However, the susceptibility to phishing attacks still applies and contrary to phones, they usually do not offer any protections when stolen. 

Disconnected Hardware Token 


Connected hardware token 

Connected hardware tokens work by automatically sending a security response to the service after being connected to a computer or a phone.  

The security response is cryptographically tied to the service / website, therefore even if a phishing website would convince user to connect their token, no data would be readable. The security codes are also fully protected in case of a token being connected into a compromised device. These properties effectively eliminate the risk of phishing, with companies like Google reporting no successful phishing attacks after deploying connected hardware tokens for their employees. Tamper resistant hardware also makes it very expensive to clone. 

Apart from security, one of the main advantages of connected tokens is accessibility. There are no codes to remember and no batteries to worry about 

The drawbacks are no protections when stolen, limited compatibility and higher initial costs 

When protecting high-value accounts, choosing the right two-step authentication method is crucial to protect against attacks using phishing, credential stuffing or brute-forcing. SMS-based methods are discouraged, with experts recommending connected hardware devices whenever possible.