The idea for this blog post came from a reader just like you. All he did was send me an email asking for my thoughts on two-step verification. If you have any questions you’d like me to answer, or other blog posts you’d like to see, please email me: firstname.lastname@example.org.
Google recently enabled support for 2-step verification for its users’ authentication process. This is a great step forward for online security, and not because it takes longer for you to log in.
We’ve all been told never to use the same password on more than one website. How many people actually do that? Probably about one person out of every thousand. Why? Because it’s too difficult to remember all those passwords.
But re-using passwords adds a significant amount of inherent risk. Sure, there are many websites that store passwords in a form that prevents the website owners from reading and copying them, but there are still a lot of sites that don’t, and you have no way of knowing what any individual site does on that front. There are also ways for other people on your network to see passwords in plain text as you’re logging in to a site if that site doesn’t force a secure connection for logging in. And if you use a simple password (i.e. “123456”), it’s incredibly easy to guess that and log in as you.
What’s more, even if you use a unique password for every website in the world, if you store your passwords in a password manager, or write them down somewhere, it’s possible for someone to find them and pretend to be you.
How does 2-step verification solve this problem? It’s simple. By adding a second layer of security that changes every time you log in, you’re pretty much no longer vulnerable to those sorts of attacks. Yes, someone could grab your phone and get a verification code, but they’d still need to know your password in order to use it. It may not be a perfect system, but it’s still a whole lot more secure than simple password-based logins.