What is 2FA?
2FA is two-factor authentication and means you are using two of the three standard authentication methods (a password or similar, an authentication token or app, a fingerprint/face or other biometric factor) This provides a more secure access to your account.
What is 2SV?
2SV is two-step verification and means that a two-step process has been implemented to provide secure login, such as first step using a password, then the second step, usually sequentially after the first step, using an SMS verification code or a code via an authentication app or similar.
Amongst others, Google and Microsoft provide authentication apps to enable 2FA access to user’s accounts.
You link your user account to an authenticator app and it then provides a way of logging into your account usually without a password and often using a code or on-screen tap of an Approve button, or similar method. These apps can be used to access your Google and Microsoft account, as well as other popular accounts such as Facebook, Amazon, Evernote, Dropbox etc.
Implementing Authentication Apps
An app or website provider will need to update the way their product handles the login and authentication process, in order to add the option of 2FA via Authentication Apps.
Adding the use of Authentication Apps to an existing app or website is often quite a significant undertaking as it can add a whole extra layer of possible use cases, interactions, outcomes and possible issues.
Testing Authentication Apps
Testing has to include the new workflow – setting up and using the Authentication App to access user accounts – as well as all the existing workflows that may be in use – such as logging in with an email and password, using a social login such as Facebook and any other login methods.
Testing has to establish that the new and existing workflows are correctly implemented so that users can access their accounts via whichever method they want to use.
In addition to this basic functional testing, there are many possible use cases and user scenarios which have to be considered and possibly included in the testing. Some of these are:-
- what happens if user sets up their current smartphone with the authentication app but then buys a new phone and wants to use that new phone instead?
- what if the user no longer wants to use an authentication app and wants to return to their old way of accessing their account?
- what if user wants to use two or more different devices to access their account?
- what if the user’s device is stolen or mislaid?
Also, error testing would have to be factored into the above, to ensure that any errors in the different workflows are handled properly.
Also to consider: App passwords, Recovery codes, Security issues
In some cases, such as for apps or older devices that don’t support 2SV, it might be possible to setup app passwords, which enable you to create a secure password in order to login to a particular app or device.
Recovery codes (or backup codes) allow you to still access your account in the case where you can no longer use your usual method, for example where you’ve lost your mobile device you usually use to access your account.
Security issues have been reported for the use of SMS verification codes, such as ‘Sim swap’ attacks and ‘man in the middle’ attacks, meaning many people no longer use them, preferring to instead use authentication apps such as the above-mentioned.
Post updated 10 July 2019 to add info on 2SV, app passwords, recovery codes and security issues