What is Two-factor Authentication (2FA)? How does it work? | Fortinet (2024)

Different Types of Two-Factor Authentication

There are several types of 2FA that can be used to further confirm that a user is who they claim to be. Some of the simpler examples include answering security questions and providing one-time codes. Others use various types of tokens and smartphone applications. Common 2FA types include the following:

1. Hardware tokens for 2FA

Hardware tokens are one of the original types of 2FA formats. They are typically small key-fob devices that generate a unique numerical code every 30 seconds. When a user submits their first authentication request, they can head over to the key fob and issue the code it is displaying. Other forms of hardware tokens include universal serial bus (USB) devices that, when inserted into a computer, automatically transfer an authentication code.

An example of this is YubiKey, which is short for ubiquitous key, a security key that enables users to add a second factor of authentication to services like Amazon, Google, Microsoft, and Salesforce. The USB device is used when users log in to a service that supports one-time passwords (OTPs), such as GitHub, Gmail, or WordPress. The user plugs the YubiKey into their USB port, enters their password, clicks the YubiKey field, and touches a button on the device. It generates a 44-character OTP and automatically enters it on the user’s device to verify them with a possession 2FA factor.

Hardware token devices are generally expensive for organizations to distribute. Furthermore, they are easily lost by users and can themselves be cracked by hackers, making them an insecure authentication option.

2. Text message and SMS 2FA

Short message service (SMS) and text message 2FA factors are generated when a user attempts to log in to an application or service. An SMS message will be sent to their mobile device containing a unique code that the user then enters into the application or service. This 2FA factor type has been used by banks and financial services to verify purchases or changes that customers made to their online banking accounts. However, they are generally moving away from this option, given the ease with which text messages can be intercepted.

Similar to the SMS factor is voice call 2FA. When a user enters their login credentials, they will receive a call to their mobile device that tells them the 2FA code they need to enter. This factor is used less frequently but is deployed by organizations in countries that have low smartphone usage levels.

3. Push notifications for 2FA

A more commonly used passwordless two-step authentication format is push notifications. Rather than receiving a code on their mobile device via SMS or voice, which can be hacked, users can instead be sent a push notification to a secure app on the device registered to the authentication system. The notification informs the user of the action that has been requested and alerts them that an authentication attempt has taken place. Then, they simply approve or deny the access request.

This authentication format creates a connection between the app or service the user is attempting to access, the 2FA service provider, the user themselves, and their device. It is user-friendly and reduces the possibility of security risks like phishing, man-in-the-middle (MITM) attacks, social engineering, and unauthorized access attempts.

This authentication format is more secure than SMS or voice calls but still carries risks. For example, it is easy for a user to accidentally confirm an authentication request that has been fraudulently requested by quickly tapping the approve button when the push notification appears.

4. 2FA for mobile devices

Smartphones offer a variety of possibilities for 2FA, enabling companies to use what works best for them. Some devices are capable of recognizing fingerprints. A built-in camera can be used for facial recognition or iris scanning, and the microphone can be used for voice recognition. Smartphones equipped with a Global Positioning System (GPS) can verify location as an additional factor. Voice or SMS may also be used as a channel forout-of-band authentication.

A trusted phone number can be used to receive verification codes by text message or automated phone call. A user has to verify at least one trusted phone number to enroll in 2FA.Apple iOS, Google Android, and Windows 10 all have applications that support 2FA, enabling the phone itself to serve as the physical device to satisfy the possession factor.

Ann Arbor, Michigan-based Duo Security, which was purchased by Cisco in 2018 for $2.35 billion, is a 2FA platform vendor whose product enables customers to use their trusted devices for 2FA. Duo's platform first establishes that a user is trusted before verifying that the mobile device can also be trusted for authenticating the user.

Authenticator applications replace the need to obtain a verification code via text, voice call, or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password—a knowledge factor. Users are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device—an ownership factor.

Figure 1. Demonstarting SD WAN Use

What is Two-factor Authentication (2FA)? How does it work? | Fortinet (2024)

FAQs

What is Two-factor Authentication (2FA)? How does it work? | Fortinet? ›

Two-factor authentication means that a user has to submit two authentication factors that prove they are who they say they are. It is used when a user logs in to an application or system, adding an extra layer of security to simply logging in with their username and password, which can easily be hacked or stolen.

What is two-factor authentication 2FA and how does it work? ›

Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. 2FA gives businesses the ability to monitor and help safeguard their most vulnerable information and networks.

What is an example of two-factor authentication 2FA )? ›

Using two different factors like a password and a one-time passcode sent to a mobile phone via SMS is two-factor authentication.

What is the best description of two-factor authentication quizlet? ›

Which of the following best describes what Two Factor Authentication (2FA) is? The first factor is your password, and the second factor is a code sent via text, email, or phone call to approve your password, or your fingerprint/face ID.

What is multi-factor authentication and how does it work? ›

Multi-factor authentication works by requesting multiple forms of ID from the user at the time of account registration. The system stores this ID and user information to verify the user for next login.

Does two-factor authentication really work? ›

When Faced With the Question, Is 2-Step Verification Safe? The answer is a sure yes. However, it is not foolproof. There should be additional measures to further prevent hackers from infiltrating the user's accounts.

What is the difference between two-factor authentication and two-step verification? ›

Differences between 2FA and 2SV

Just like every square is a rectangle, but not every rectangle is a square, every 2FA is 2SV, but not all 2SV is 2FA. The key difference between 2-step verification vs. 2-factor authentication is that 2FA requires two independent forms of authentication from different categories.

How does authenticator work? ›

Some of the most popular apps include Google Authenticator and Microsoft Authenticator. To verify your identity, an authenticator app generates a code called a Time-based One Time Password (TOTP) that you enter along with your username and password when you log into an account. The code is usually six to eight digits.

What are the pros and cons of using two-factor authentication? ›

The Pros And Cons of Two-Factor Authentication
Pros and Cons of 2FA
ProsCons
Flexibility: IT leads can choose which second factors to deploy.Resistance to change: If users are unfamiliar with 2FA, it could feel intrusive.
3 more rows
Aug 1, 2023

Is entering a password twice a two-factor authentication? ›

So, if a service asks the user to enter two passwords instead of one (or, say, a password and the answer to a secret question), this cannot be considered 2FA, since the same method of validation (knowledge) is used twice.

What best describes two-factor authentication? ›

Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.

What are the factors in two-factor authentication 2FA )? ›

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

How does 2FA work? ›

Text message and SMS 2FA

An SMS message will be sent to their mobile device containing a unique code that the user then enters into the application or service. This 2FA factor type has been used by banks and financial services to verify purchases or changes that customers made to their online banking accounts.

What is the 2 factor authentication policy? ›

Multi-Factor Authentication (sometimes referred to as two-factor authentication or 2FA) is a security enhancement that allows you to present two pieces of evidence when logging in to an account.

Is two-factor authentication mandatory? ›

As per update from NIC in September 2023, the 2FA is mandatory from 21st August 2023 for taxpayers with annual aggregate turnover more than Rs. 100 crore. Thereafter, it applies to those with annual turnover over Rs.

How do I activate two-factor authentication? ›

Turn on 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “How you sign in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

Does two-factor authentication protect your account? ›

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. 2FA is implemented to better protect both a user's credentials and the resources the user can access.

What is 2FA for dummies? ›

Two-factor authentication, also known as 2FA, adds an extra layer of security to your online accounts. Rather than just confirming your identity with a simple username and password, you have to provide a second authenticating factor that only you can access.

Does 2FA need internet? ›

Typically, these include something you know (like a password) and something you have (like a code generated by an app). However, 2FA can also work without an internet connection. Flashcalls are one way to do 2FA without an internet connection.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 5654

Rating: 4.1 / 5 (62 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.