We knew back in April that two-step verification was coming for PlayStation Network (PSN) accounts, but we didn’t know when.
We’re happy to say that “when” is “now.”
Sony tweeted on Wednesday night that users would be able to activate two-step verification (2SV) on their accounts. The tweet linked to a new security page that explains how it works.
2SV is also known as multi-factor authentication or two-factor authentication (2FA), and Sony’s opted for the term 2SV.
If you activate 2SV, you’ll receive codes via SMS that you’ll need to input alongside your password and username.
Whatever you want to call it, it’s a good idea to turn it on as soon as possible.
Yes, 2SV adds a bit of work to logging in. It’s a smidgen less convenient than just having a single login factor, such as a password that rarely changes.
But that smidgen of inconvenience translates into an extra mountain to climb for the crooks.
Given that 2SV entails a login code generated by a special app on your phone – or sent via SMS – it means that a crook not only has to steal your login credentials, but would also need to crack the verification code.
With Sony’s move to turn on 2SV, it’s boosted itself into the club of services that support this extra security step, which now includes…
- 2011: Facebook
- 2012: Dropbox
- 2013: WordPress.com
- 2014: Tumblr
- 2015: iTunes
…and, most important of all, likely, to Sony, the 2SV club also includes rival Microsoft, which turned on two-step verification more than 3 years ago, including for Xbox Live.
Don’t wait. We suggest you hit pause on whatever game you’re playing and turn on 2SV now!
Bryan
I’m writing a game to simulate all the services that don’t offer 2FA. In the game if you find the CEO of a game’s parent company and ask nicely he turns on 2FA. You beat the game once all your accounts are secured. I don’t want to spoil the ending, but one word:
riveting.
Scott
Don’t forget Amazon on your list of 2FA.
Anonymous
This is not technically two factor authentication as it relies on 3 things from the same factor (something you ‘know’). They would need to add other factors such as something you ‘have’, something you ‘do’, something you ‘are’, etc to be true multi-factor. However it is a step in the right direction.
Paul Ducklin
SMS-based authentication is, by definition and by design, not “something you know.” Quite the opposite: the code is a one-time random number generated elsewhere and sent to a different device. You can’t predict it or calculate it in advance. Acquiring the codes via SMS requires “somehting you have” – the correct SIM card in your phone.
Matt Parkes
It might be worth pointing out the difference between 2SV, 2FA and MFA as it gets confusing for many people. 2 Step verification is the type referred to in this article because PSN are providing the user the ability to set up 2 elements to verify their account, however an SMS message containing a one time code is still “something you know” just like your password hence 2 step verification. 2 Factor Authentication also requires 2 items for verification, the difference being it has to be 1 instance of the 3 possible options: “something you know”, “something you have” and “something you are”. The differentiation can be murky as you could say an SMS code is “something you have” because you do not know it until it is sent to you, however like the majority of people I suspect that users will be logging into services on the same device as they are receiving the SMS so therefore the code becomes “something you know” and the device can be easily lost or stolen and access if not set properly can be obtained by an unauthorised individual. If you are logging onto a service say on your PC, Mac, Tablet etc… which is a different device to that which receives the SMS or if the code generator app being used is on a separate device then it could be considered 2FA (depends on your viewpoint I suppose). Multi Factor Authentication is 2FA but allowing for more than one factor and more than one instance of any of the three factors available.
Paul Ducklin
An SMS code is not “something you know” because it’s a random code used once and sent to a separate device. If you can predict it in advance then something is broken with the system :-)
I accept that if both “factors” rely on the same hardware, such as using the same phone for your SMS messaging as the secure browsing you’re doing, then it’s more like one-and-a-half factor authentication.
Of course, in the case of PSN, the SMS will be going to a separate device so I’d say that calling it 2FA is fine.
SJ
I’m grateful that I did turn on 2FA for my account. A week or two ago, I was woken up at 3am when my cellphone was suddenly hit by 100+ near simultaneous responses sending me randomized confirmation codes. Turned out someone had gotten a hold of my identity for the account and was using a script or something to test it. Promptly went in and changed my password.