The list of companies offering two-factor authentication continues to grow - hooray! This weekend WordPress joined the growing ranks of companies offering better protection to their customers by adding the option for people to add a 2nd factor of authentication. It bears mentioning, as you stand poised and ready to put your second authentication step into action, the difference between two-step and two-factor authentication.
As a little reminder, a "factor" in authentication is generally considered to be one of 3 things:
- What you know (a password)
- What you have (a separate device such as a phone or a key fob)
- What you are (a fingerprint, for instance)
WordPress's new option lets you choose from having a code sent through an app or via SMS to your phone. Since you could theoretically be accessing your blog through your phone, this is why it's called "two-step" authentication rather than "two-factor" authentication. This sort of thing blurs the line a bit for being true two-factor authentication, since it does not force you to use a separate device. But them's the breaks when you're dealing with computing "in the cloud" - it would be impractical to send millions of customers a separate dongle, for instance. Customers can use any number of different devices to access Google, Apple ID, or WordPress, from any number of locations. True two-factor authentication is not something we're likely to see in common use for the foreseeable future. But two-step authentication is still a definite improvement over single-step authentication.