What Is Two Factor Authentication?
Two-factor authentication (2FA) is an authentication method that requires the user to provide exactly two factors of verification to access a website, app, or resource.
2FA authentication is a subset of multi-factor authentication, which requires at least two forms of authentication. Organizations use 2FA to add an extra layer of security against common attack schemes like phishing, social engineering, and brute force attacks to steal passwords.
- Content Creator: Turn Your Passion Into A Job
- How Does Affiliate Marketing Work?
- What Is A QR Code Generator: Everything You Need To Know
Why Is Two-Factor Authentication Necessary?
Data breaches are becoming more frequent and have an alarming impact on businesses around the world, totalling more than $2,000,000,000,000 in damages annually. As organizations work to secure their infrastructure and digital assets, it’s clear that single-factor authentication (and especially password-based authentication) is far from enough. Passwords are easily compromised, especially due to poor password hygiene, but also because they are rarely changed, reused across multiple accounts, frequently shared, and often stored in an unsecured location.
Add a second factor to authenticate users that are needed in almost every enterprise use case today.
What Threats Does 2FA Address?
Two-factor authentication provides an additional layer of protection against many of the most common types of cyber threats, including:
- Stolen passwords: As mentioned above, poor password hygiene makes it easy to steal them. 2FA ensures that a stolen password is not all it takes to breach an account.
- Brute force attacks (password hacks): Hackers use increasingly accessible computing power to randomly generate passwords until they “crack” the code. But computing power can’t hack a second factor.
- Phishing: Phishing remains one of the most common, and most effective, means of stealing user credentials. Again, 2FA protects against unauthorized access in case the username and password are stolen through a phishing attack.
- Social engineering: Crafty hackers are increasingly using social networks to launch attacks that trick users into voluntarily giving up their credentials. But without the second factor, the hacker cannot access the account.
How Does Two-factor Authentication Work?
The basic 2FA login workflow is familiar to almost everyone by now. Although the details differ depending on the factors used, the basic process is as follows:
- The app/website asks the user to connect.
- The user supplies the first factor. This first factor is almost always something the user “knows”, such as a username and password combination or a unique access code generated by a hardware token or smartphone app.
- The site/app validates the first factor and then asks the user to provide the second factor. This second factor is usually something the user “has”, such as a security token, ID card, smartphone app, etc.
- Once the site/app has validated the second factor, the user is granted access.
What Are 2FA Examples?
Authenticators and authentication tokens fall into four main categories: something you have, something you know, something you are, or where you are.
- Something you have: A physical access card, a smartphone or other device, or a digital certificate
- Something you know: A PIN code or a password
- Something you are: Biometric data, such as fingerprints or retina scans
The classic username and password combination is technically a rudimentary form of two-factor authentication. But since both the username and password fall into the category of “something you know,” this combination is easier to compromise.
The History Of Authenticators/Factors
Hardware tokens are small physical devices that users present to access a resource. Hardware tokens can be connected (ie USB, smart card, single-use Key Fob) or contactless (ie Bluetooth tokens). Users carry these tokens with them. The first form of modern 2FA, introduced in 1993 by RSA, used a handheld device with a small screen that displayed randomly generated numbers that were checked against an algorithm to validate the holder of the device. Hardware tokens can also be lost or stolen.
As mobile phones became more common, SMS-based 2FA caught on quickly. The user enters their username and then receives a One Time Access Code (OTP) via text message (SMS). A similar option uses a voice call to a mobile phone to provide the OTP. In both cases, the OTP stream is relatively easy to hack, making it a less-than-ideal form of 2FA.
The advent of smartphones and other smart mobile devices has made app-based 2FA very popular. Users install an app on their device (can also be used on a desktop computer). Upon login, the app provides a “soft token”, such as an OTP, which is displayed on the device and must be entered at the login screen. Since the app generates the soft token on the device, the risk of the OTP or soft token being intercepted in the transmission is eliminated.
Perhaps the most seamless and convenient from a user perspective, 2FA via push notifications does not ask the user to enter a soft token. Instead, a website or app directly sends a push notification to the user’s mobile device. The notification notifies the user of the authentication attempt and prompts them to approve or deny access with a single click or tap. This 2FA method is highly secure and extremely convenient, but it does depend on internet connectivity.
The types of authenticators available have evolved to include passwordless options such as FIDO, biometrics, and PKI-based digital credentials for authentication.
2FA vs. MFA: What’s the difference?
Two-factor authentication (2FA) requires users to present two types of authentication, while multi-factor authentication (MFA) requires users to submit at least two if not more, types of authentication. This means that all 2FA is MFA, but not all MFA is 2FA. While multi-factor authentication can require any combination of authenticators and authentication tokens to access a resource, app, or website, 2FA authentication only requires two predefined authenticators to access a resource. Depending on your organization’s needs, 2FA authentication could provide the next step in securing your organization is looking for while enabling a frictionless experience for end users.
How to choose the right factors for 2FA
The different types of factors that can be used to enable two-factor authentication have been discussed above. But even within each authenticator type, there are many different options to choose from, and new technologies are constantly emerging. How to choose which factors to use for your 2FA protocol? Here are some questions to help you consider the right choice:
- Do you want authentication to be transparent to the user?
- Would you like the user to carry a physical device or authenticate online?
- Do you want the website to also authenticate to the user?
- How sensitive is the information you are protecting and what is the associated risk?
- Is physical access (linkage) to offices, labs, or other areas part of your user requirements?
Entrust offers expert guidance to strengthen your security with high-assurance multi-factor authentication. We support the widest range of 2FA security tokens, allowing you to choose the best option that meets your security needs and use cases. Most importantly, Entrust can provide expert, consultative guidance to help you select the right option(s) and simplify your move to high-security two-factor authentication.
Two-Factor Authentication Use Cases
Two-factor authentication is the most ubiquitous form of multi-factor authentication, making it perfect for use cases where multiple people need to access data. For example, 2FA is often used by healthcare apps because it allows doctors and other clinicians to access sensitive patient data on demand, often from personal devices.
Similarly, 2FA banking and finance apps can help protect account information from phishing and social engineering attacks, while also enabling mobile banking for consumers.
Industrial applications of the 2FA:
- Health care
- Retail sale
- Higher education
- Social networks
- Government/federal institutions