top of page
Blog article

Blog article

Difference Between 2-step Verification, 2-factor Authentication and Multi-factor Authentication(MFA)

Many Web services use "password" authentication. However, due to various attacks in recent years, it is no longer possible to guarantee security strength with only "password" authentication. "Two-step verification", "Two-factor authentication", and "Multi-factor authentication (MFA)" are authentication methods that have emerged to increase the strength of authentication. This time, I would like to explain the differences between them.

Table of Contents

3 factors of authentication

Before getting into the main topic, let me explain the important "3 factors of authentication".

The factors of authentication are roughly divided into three: "Knowledge Information", "Possession Information", and "Inherence Information".

  • Authentication by Knowledge Information A method of authenticating with knowledge information known only to the user, such as a password, PIN, secret question, etc. Password-based authentication is relatively easy to introduce, but it has its disadvantages. There is a risk of unauthorized use due to brute force attacks that attempt passwords many times and phishing attacks that steal passwords. There is also the risk of expanding the damage by using the same password on multiple sites. In this way, it is no longer possible to guarantee security strength with authentication using only passwords.

  • Authentication by Possession Information A method of authenticating information held by the user, such as an IC card (such as an employee ID card), a security key for a physical device, or a smartphone. In authentication by IC card, the information in the card is read and authenticated. Security key authentication supports multiple authentication formats (one-time password, FIDO, etc.). With authentication by smartphone, it is possible to authenticate with an app or receive a code by SMS. Although it depends on the form of authentication, it is not shared like a password, so it is a relatively strong authentication method. However, you need to be careful as there is a risk of loss or theft.

  • Authentication by Inherence Information A method of authentication using the user's physical characteristics such as fingerprints, face, or veins. By using biometrics, there is no need to remember passwords or forget the authentication device, enabling highly convenient and secure authentication. However, this authentication method does not authenticate with 100% accuracy. It may not be possible to identify due to changes in the body due to aging or damage to the body due to an accident. In addition, if biometric information is fraudulently forged in some way, there is a risk of unauthorized access to the biometric login system.

These are the 3 factors of authentication. The authentication methods described below are methods of increasing security strength while compensating for the disadvantages of each authentication factor by dividing authentication into multiple times or combining authentication factors.

Two-step verification

An authentication method that authenticates by dividing one of the three factors of authentication into two times.

As a common one, after entering "ID & password (knowledge)", by entering the "confirmation code (knowledge)" received by e-mail, etc., two-step verification is performed in which the "knowledge information" is authenticated in two steps. By using this authentication method, even if password authentication is broken by a third party, authentication cannot be performed without knowing the confirmation code. This authentication has a higher security strength than password-only authentication.

Two-factor authentication

An authentication method that combines two different authentication factors out of the three authentication factors of "knowledge information", "possession information", and "inherence information".

A familiar example is ATM authentication. By inserting a "cash card (possession)" into an ATM and entering a "PIN code (knowledge)", two-factor authentication based on possession and knowledge is completed, and you can withdraw money. Web services and applications also implement two-factor authentication by asking for an authentication device after entering "ID & password". Even if one of the pieces of information is stolen, it cannot be authenticated without the two pieces of information. Compared to single-factor authentication and two-step verification introduced so far, it is an authentication method with a higher security strength.

Multi-factor authentication (MFA)

An authentication method that combines two or more of the three authentication factors of "knowledge information", "possession information" and "inherence information". By this definition, two-factor authentication is also included in multi-factor authentication.

To give a specific example of MFA, when logging in to a Web service such as Salesforce using the security key of a biometric authentication device, after entering "ID & password (knowledge)", "security key (possession)" is required, and "fingerprint (inherence)" is verified for identity verification. Here, multi-factor authentication is realized by verifying everything including two or more factors of "knowledge", "possession", and "inherence". Since authentication includes two or more different factors, it is an authentication method with high-security strength.


SNS or web services such as Google and Twitter, which are used for business and private purposes, also have "multi-factor authentication (MFA)" settings, so we recommend setting MFA to prevent account hijacking. We also handle security keys used for MFA, which can be purchased from the following site. For a quote, please contact us using the contact form.

YubiKeyShop Authorized Reseller



Thanks for reading until the end.


bottom of page