Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. This process is done to better protect both the user’s credentials and the resources the user can access. Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor — typically, a password or passcode. Two-factor authentication methods rely on a user providing a password, as well as a second factor, usually either a security token or a biometric factor, such as a fingerprint or facial scan.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users’ credentials from being used by hackers who have stolen a password database or used phishing campaigns to obtain user passwords.
What are authentication factors?
There are several different ways in which someone can be authenticated using more than one authentication method. Currently, most authentication methods rely on knowledge factors, such as a traditional password, while two-factor authentication methods add either a possession factor or an inherence factor.
- A knowledge factor is something the user knows, such as a password, a PIN (personal identification number) or some other type of shared secret.
- A possession factor is something the user has, such as an ID card, a security token, a cellphone, a mobile device or a smartphone app, to approve authentication requests.
- An inherence factor, more commonly called a biometric factor, is something inherent in the user’s physical self. These may be personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader. Other commonly used inherence factors include facial and voice recognition.
- A location factor, usually denoted by the location from which an authentication attempt is being made, can be enforced by limiting authentication attempts to specific devices in a particular location or, more commonly, by tracking the geographic source of an authentication attempt based on the source Internet Protocol (IP) address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user’s mobile phone or other device.
- A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.
How does two-factor authentication work?
- The user is prompted to log in by the application or the website.
- The user enters what they know — usually, username and password. Then, the site’s server finds a match and recognizes the user.
- For processes that don’t require passwords, the website generates a unique security key for the user. The authentication tool processes the key, and the site’s server validates it.
- The site then prompts the user to initiate the second login step. Although this step can take a number of forms, users have to prove that they have something only they would have, such as a security token, ID card, smartphone or other mobile device. This is the possession factor.
- Then, the user enters a one-time code that was generated during step four.
- After providing both factors, the user is authenticated and granted access to the application or website.
Two-factor authentication for mobile device authentication
Smartphones offer a variety of possibilities for 2FA, enabling companies to use what works best for them. Some devices are capable of recognizing fingerprints, a built-in camera can be used for facial recognition or iris scanning, and the microphone can be used for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) may also be used as a channel for out-of-band authentication.
A trusted phone number can be used to receive verification codes by text message or automated phone call. A user has to verify at least one trusted phone number to enroll in 2FA.
Apple iOS, Google Android and Windows 10 all have apps that support 2FA, enabling the phone itself to serve as the physical device to satisfy the possession factor. Duo Security, based in Ann Arbor, Mich., and purchased by Cisco in 2018 for $2.35 billion, is a 2FA platform vendor whose product enables customers to use their trusted devices for 2FA. Duo’s platform first establishes that a user is trusted before verifying that the mobile device can also be trusted for authenticating the user.
Authenticator apps replace the need to obtain a verification code via text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password — a knowledge factor. Users are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an Authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device — an ownership factor.
Elements of two-factor authentication
Two-factor authentication is a form of MFA. Technically, it is in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn’t constitute 2FA; for example, requiring a password and a shared secret is still considered SFA as they both belong to the same authentication factor type: knowledge.
As far as SFA services go, user ID and password are not the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from many inside threats, like carelessly stored sticky notes with login credentials, old hard drives and social engineering exploits. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks.
Given enough time and resources, an attacker can usually breach password-based security systems and steal corporate data, including users’ personal information. Passwords have remained the most common form of SFA because of their low cost, ease of implementation and familiarity. Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of SFA.
Why do you need two-factor authentication?
81% of hacking-related breaches occur due to compromised passwords.
Is two-factor authentication secure?
While two-factor authentication does improve security — because the right to access no longer relies solely on the strength of a password — two-factor authentication schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011 when security company RSA Security reported its SecurID authentication tokens had been hacked.
The account recovery process itself can also be subverted when it is used to defeat two-factor authentication because it often resets a user’s current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.
Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks. The National Institute of Standards and Technology (NIST) has discouraged the use of SMS in 2FA services in its Special Publication 800-63-3: Digital Identity Guidelines. NIST concluded that OTPs sent via SMS are too vulnerable due to mobile phone number portability attacks, such as the Signaling System 7 hack, against the mobile phone network and malware, such as Eurograbber, that can be used to intercept or redirect text messages.
Higher levels of authentication
Most attacks originate from remote internet connections, so 2FA makes these attacks less threatening. Obtaining passwords is not sufficient for access, and it is unlikely an attacker would also be able to obtain the second authentication factor associated with a user account.
However, attackers sometimes break an authentication factor in the physical world. For example, a persistent search of the target premises might yield an employee ID and password in the trash, or in carelessly-discarded storage devices containing password databases. However, if additional factors are required for authentication, the attacker would face at least one more obstacle. Because the factors are independent, compromise of one should not lead to the compromise of others.
This is why some high-security environments require a more demanding form of MFA, such as three-factor authentication (3FA), which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also being used to help determine whether a user should be authenticated or blocked. Additionally, behavioral biometric identifiers, such as a user’s keystroke length, typing speed and mouse movements, can also be discreetly monitored in real time to provide continuous authentication instead of a single one-off authentication check during login.
The difference between 2FA and MFA
Future of authentication
Relying on passwords as the main method of authentication no longer offers the security or user experience (UX) that users demand. And, even though legacy security tools, such as a password manager and MFA, attempt to deal with the problems of usernames and passwords, they depend on an essentially outdated architecture: the password database.
Consequently, organizations looking to improve security in the future are exploring the use of passwordless authentication technologies to improve UX. Passwordless authentication lets users authenticate themselves in their applications securely, without having to enter passwords. In business, that means employees can access their work without having to enter passwords and IT still maintains total control across every login
Biometrics and secure protocols are a couple examples of passwordless authentication technologies.
Using biometrics as the passwordless authentication method at the user, application and device level can better assure companies that the employees logging in to the systems are who they say there.
Protocols are another example of passwordless technologies. Protocols are standards that aim to make communication between an identity provider and a service provider easier. An employee who is authenticated to the identity provider is also authenticated into the assigned service providers, without entering a password.
Going passwordless benefits organizations because eliminating the password results in better UX for their employees. Passwordless authentication introduces new ways for employees to easily and securely log in to their work without having to rely on passwords. This eliminates the need for account recovery, requests to reset passwords and the manual password rotation process.