What Is Two-Factor Authentication (2FA)?  (2024)

Two-factor authentication (2FA) is a form of multi-factor authentication (MFA), and is also known as two-step authentication or two-step verification. 2FA is a security measure that requires end-users to verify their identities through two types of identifiers to gain access to an application, system, or network.

Think of your most recent login experiences. When you sign in to Netflix, for example, you’re probably asked to simply provide a username and password—a single factor. When you log in to your online banking account, however, you often need to provide a username and password as well as the answer to a security question or an SMS one-time password (OTP). The website asks for two factors in order to verify your identity.

2FA provides an additional layer of protection, securing user identities and preventing organizations’ online resources from being accessed by bad actors. With two-factor authentication, attackers face an additional barrier to access. Even if they know a user’s password, bad actors would still need to spoof a second factor, which can be difficult depending on the type of factor that’s enabled.

In this post, we’ll dive into the details of how 2FA works, how this method of authentication protects users and organizations, and the different types of 2FA available.

How does 2FA work?

Put simply, 2FA confirms a user’s identity by verifying one authentication factor against a second authentication factor.

What Is Two-Factor Authentication (2FA)? (1)

The more distinct these factors are from each other, the more secure the login process will be. There are three main categories of factors to choose from:

  • Knowledge factors: Something the user knows. This can be a password, a PIN, or an answer to a security question.
  • Possession factors: Something the user owns, such as a mobile phone, credit card, or USB token.
  • Inherence factors: Something that uniquely identifies the user. This includes biometrics (for example, a fingerprint or voice) and behavioral identifiers (typing dynamics, etc.).

Why is 2FA important?

A recent report from IBM estimated that a data breach can cost organizations upwards of $3 million, and according to recent research from Symantec, 80% of data breaches can be prevented by 2FA. There are a few reasons why even the most basic 2FA implementation can make a huge impact:

Passwords aren’t perfect, and poor practices are common

Traditionally, organizations have relied on usernames and passwords to authenticate users and provide access to their apps, directories, and resources. But these precautions are not enough to secure the modern workforce.

This is, in part, because users often do not follow password best practices. In 2020, for example, the most commonly exposed passwords were “123456” (used by 2.5 million people worldwide), “123456789,” “picture1,” and “password.” While organizations can minimize these poor behaviors with strong password policies, other offenses aren’t as easy to prevent, like writing down credentials, recycling passwords across accounts, or sharing passwords with others.

Phishing attacks are a prevalent threat

Auth-based cyber attacks have become increasingly common over the past few years, especially as bad actors have embraced targeting users. For example, phishing, a common cyber attack wherein malicious actors send an email that “fishes” for personal information, is one of the top threats facing organizations today; in fact 36% of all data breaches within the last year involved phishing.

Phishing emails look as if they were sent by legitimate organizations and often encourage users to log in to their bank, social media, or corporate accounts. The email may claim that the user’s account will be deactivated if no action is taken or that their credentials have already been compromised and that a password reset is necessary. Many people fall for the content in these messages and enter their credentials into a malicious form or spoofed website, thereby revealing their password to hackers.

A single hacked account may be just the beginning

Worse still, if the same password or variations of the same password are used for several accounts and apps, the hacker can potentially gain access to them all. Through a technique called credential stuffing, bad actors who acquire one set of credentials will use automated tools to try to hack other accounts using the same password.

And since the average person manages 130 accounts, and password reuse is common, there’s a high chance that the bad actor succeeds in compromising additional profiles. From here, they can harvest sensitive information from within and even sell the compromised credentials on the dark web.

How 2FA helps

2FA addresses all of these problems by making it more difficult for malicious actors to gain unauthorized access, while still delivering the seamless digital experiences that users have come to expect. Even if a bad actor gains access to a user’s password via careless password practices or a phishing attack, the hacker cannot log in to the victim’s accounts due to the second factor.

Common 2FA methods

Now that we’ve discussed how two-factor authentication can boost security and protect against common threats, let’s look at the types of 2FA available for use:

Hardware tokens

Hardware tokens are small devices (like a key fob or USB stick) that produce a new numerical code every 30 seconds. When a user attempts to access their account, they can verify their identity by simply entering the code shown on the device. While this form of two-step verification—one of the oldest methods—seems great in theory, tokens are expensive to distribute, are often lost by users, and can be easy to hack.

SMS OTPs

This form of SMS-based authentication sends a one-time password (OTP) to the user’s mobile device via text message after the user submits their username and password. Once users receive the code, they submit it to the service they’re attempting to access for verification. Various organizations have utilized this factor to verify purchases and other user actions, but many are moving away from it given the security vulnerabilities inherent to SMS.

Voice OTPs

Voice OTPs work similarly to SMS OTPs. Upon entering their username and password, the user will receive a phone call that delivers the 2FA code verbally. This authentication factor is less common but is often used in countries that have low smartphone usage.

Software tokens

Software tokens require users to download an authenticator app on their smartphone or desktop. When a user logs in to the authenticator application, a temporary software-generated OTP is issued. They then need to share that code with the service they’re attempting to access. Software tokens typically generate and display on the same device, limiting the chances of a hacker intercepting the code.

Push notifications

Instead of sending an OTP, this method sends a push notification to users after they have entered their username and password. The user can then review the details of the login attempt and approve or deny access. This two-step verification process directly connects the app or website, the 2FA service, the user, and their device. It’s a user-friendly option that removes the chance of phishing, unauthorized access attempts, and other threats like man-in-the-middle attacks.

Biometrics

Biometric factors enable users to verify their identity by using something that could only belong to them. Examples include fingerprints, retina scans, facial and voice recognition, or even behavioral identifiers like typing patterns.

Which factors should I use?

When deciding which factors to deploy, there are a few things to consider. First, think about the application or service that needs to be protected. It is especially important that apps containing sensitive personal information be protected by the strongest factors possible. Organizations may even want to consider deploying more than two factors to verify a user’s identity with even more certainty.

What Is Two-Factor Authentication (2FA)? (2)

Organizations should also think about their users. For instance, senior executives typically have access to more confidential corporate data, and therefore should need to verify their identity with more secure factors more often. On the other hand, contractors and interns are unlikely to have access to critical data and can therefore be verified less frequently.

Solutions like Okta Verify are a good choice because the authentication process takes place on the same device the access is requested from. This significantly reduces the chance of hackers intercepting credentials between the time a user provides a password and enters a 2FA code. Biometric-based authentication is another strong factor that should be considered as an additional security layer for any business-critical app or service.

2FA is good, but adaptive MFA is better

While using two-factor authentication is more secure than passwords, there’s more that organizations can do to secure their applications and networks and verify user identities.

Adaptive Multi-Factor Authentication, for example, gives system admins full control over when, where, and by who 2FA or MFA needs to be used. IT teams can choose which factors are the best fit for certain users within their organization, from contextual behavior and login patterns to geolocation and proxy detection. Organizations can also create nuanced policies, such as only authenticating logins from managed or known devices. Adaptive MFA provides organizations with secure, seamless access that will delight users.

For more information about how to verify users, check out our Ultimate Authentication Playbook—or get started with a free trial today.

What Is Two-Factor Authentication (2FA)?  (2024)

FAQs

What is the 2FA authentication? ›

Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data.

What is an example of a 2FA authenticator? ›

There are several examples of 2FA, but there are two very important examples. One example is sending a code to a user's mobile phone via text message, and this sending code from 2FA must be entered in addition to the password to log in. Another example is using a biometric identifier such as a fingerprint or iris scan.

How do I do two-factor authentication? ›

Turn on 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “How you sign in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

Is 2 factor authentication safe? ›

2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it. This is because the user may not receive push notifications by the app notifying them of what is being approved.

What are examples of two-factor authentication? ›

Using two knowledge factors like a password and a PIN is two-step authentication. Using two different factors like a password and a one-time passcode sent to a mobile phone via SMS is two-factor authentication.

How do I check my 2FA authentication? ›

Go to the ACCOUNT page. Click the PASSWORD & SECURITY tab. Under the 'TWO-FACTOR AUTHENTICATION' header, you will see the available 2FA options: Two-factor Authenticator App: Use an Authenticator App as your Two-Factor Authentication (2FA).

What is the secret key for two-factor authentication? ›

The secret key for two-factor authentication (which is a form of multi-factor authentication) is a unique 16 character alphanumeric code that is required during the set up of the PIN generating tools. The secret key is issued for the first time when you log on to the CommCell environment.

What are the requirements for two-factor authentication? ›

Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.

Does Gmail have two-factor authentication? ›

2-step verification adds an extra layer of security to your Google Account. In addition to your username and password, you'll enter a code that Google will send you via text or voice message upon signing in.

What's the main disadvantage of two-factor authentication? ›

2FA, and multi-factor authentication as a whole, is a reliable and effective system for blocking unauthorized access. It still, however, has some downsides. These include: Increased login time – Users must go through an extra step to login into an application, adding time to the login process.

Can hackers get around 2 factor authentication? ›

Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks. To avoid these vulnerabilities, businesses should use authenticator apps like Google Authenticator or Microsoft Authenticator.

Should I turn off two-factor authentication? ›

Your account is more secure when you need a password and a verification code to sign in. If you remove this extra layer of security, you will only be asked for a password when you sign in. It might be easier for someone to break into your account.

How do I find my 2FA authenticator code? ›

Viewing the setup key

While setting up an authenticator app for 2FA you can view the setup key which we automatically generate as a QR code, but which can also be read in plain text by clicking on View setup key. It is sometimes also referred to as a "backup code" or "secret seed code".

What is the 6 digit code for 2FA? ›

Get 6-digit 2FA tokens from your authenticator app

Depending on the settings you choose when turning on 2FA, you'll need to enter the token every time you log in or only when you log in on a new device or in a new browser. You get the 6-digit token from your authenticator app.

Should I turn off 2FA? ›

Your account is more secure when you need a password and a verification code to sign in. If you remove this extra layer of security, you will only be asked for a password when you sign in. It might be easier for someone to break into your account.

What is a 2FA username and password? ›

Perhaps the most common method of implementing 2FA. This method sends the user a unique token via SMS text message, normally a 5-10 digit code, after they have successfully entered their username and password. The user then needs to provide this unique token before they are granted access.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Jonah Leffler

Last Updated:

Views: 5660

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.