What is two-factor authentication (2FA)?
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
2FA is implemented to better protect both a user's credentials and the resources the user can access. It's typically used as part of a broader effort to prevent data breaches and the potential loss of personal data.
Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication. With SFA, the user provides only one authenticating factor, typically a password or passcode. Two-factor authentication methods rely on a user providing a password as the first factor and a second factor that's different from the initial factor, usually either a security token or a biometric factor such as a fingerprint or facial scan.
Two-factor authentication adds an extra layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts. Even if the victim's password is hacked, a password alone isn't enough to pass the authentication check.
Two-factor authentication has long been a cybersecurity strategy to manage account security by controlling access to sensitive systems and data. Online service providers are increasingly using 2FA to protect users' credentials from being used by hackers who stole a password database or used phishing attacks to obtain user passwords.
What are authentication factors?
There are several ways in which someone can be authenticated using more than one authentication method. Most authentication methods rely on knowledge factors, such as a traditional password. Two-factor authentication methods add either a possession factor or an inherence factor.
Authentication factors, listed in approximate order of adoption for computing, include the following:
- Knowledge factor. A knowledge factor is something the user knows, such as a password or a personal identification number (PIN).
- Possession factor. A possession factor is something the user has, such as an ID card, a security token, a cellphone, a mobile device or a smartphone app, to approve authentication requests.
- Biometric factor. A biometric factor, also known as an inherence factor, is something inherent in the user's physical self. It might be a personal attribute mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader. Other commonly used inherence factors include facial and voice recognition or behavioral biometrics, such as keystroke dynamics, gait or speech patterns.
- Location factor. A location factor is usually the location from which an authentication attempt is being made. Authentication attempts can be limited to specific devices in a particular location or the geographic source of an authentication attempt can be tracked based on the Internet Protocol address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user's iPhone, Android phone or other mobile device.
- Time factor. A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.
Most two-factor authentication methods rely on knowledge, possession and biometric authentication factors. Systems requiring greater security use multifactor authentication (MFA), which relies on additional independent credentials for more secure authentication.
How does two-factor authentication work?
Enabling two-factor authentication varies depending on the specific application or vendor. However, two-factor authentication processes involve the same general, multistep process:
- The user is prompted to log in by the application or the website.
- The user enters what they know, usually their username and password.
- The site's server finds a match and recognizes the user.
- For processes that don't require passwords, the website generates a unique security key for the user. The authentication tool processes the key and the site's server validates it.
- The site prompts the user to initiate the second login step. Although this step can take several forms, the user must prove that they have something only they would have, such as a biometric feature, security token, credit card, ID card, smartphone or other mobile device. This is the inherence or possession factor.
- The user might have to enter a one-time passcode that was generated during Step 4.
- After providing both factors, the user is authenticated and granted access to the application or website.
Elements of two-factor authentication
Two-factor authentication is a form of MFA. Technically, it's in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn't constitute 2FA. For example, requiring a password and a shared secret is still considered SFA as they both belong to the knowledge authentication factor type.
SFA that relies on usernames and passwords isn't the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from insider threats, such as carelessly stored sticky notes with login credentials and carelessly discarded hard drives. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks as well as social engineering exploits.
Given enough time and resources, an attacker can usually breach password-based security systems and steal corporate data. Passwords have remained the most common form of SFA on laptops and other devices because of their low cost, ease of implementation and familiarity.
Multiple challenge-response authentication questions can provide more security depending on how they are implemented. Standalone biometric verification methods can also provide a more secure method of SFA.
Adaptive multifactor authentication introduces a gatekeeper element into the process. The authentication system has knowledge of specific characteristics or patterns associated with a specific user. The process of authenticating a user's identify starts when a user interacts with the adaptive authenticator app. The app analyzes the user's known characteristics and behavior – for example, how many prior access requests have been made or a time-based analysis of when the requests were made -- to determine if a match can be made. Once a match is confirmed, the user proceeds to the next step in authentication or access process.
Types of two-factor authentication products
There are many different devices and services for implementing 2FA, from tokens to radio frequency identification cards to smartphone apps.
Two-factor authentication products make use of two basic features:
- Tokens that are given to users to use when logging in.
- Infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.
Authentication tokens can be physical devices, such as key fobs or smart cards, or software, such as mobile or desktop apps that generate PIN codes for authentication. These authentication codes are known as one-time passwords (OTPs). The authentication code is a short sequence linked to a particular device, user or account and can be used only once as part of an authentication process. Servers generate OTPs, and authentication devices or apps are used to recognize them as authentic.
Organizations need to deploy a system to accept, process, and allow or deny access to users authenticating with their tokens. These systems can be deployed in the form of server software or as a dedicated hardware server. Third-party vendors also provide authenticating services.
An important aspect of 2FA is ensuring the authenticated user is given access to all resources they're approved for and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization's authentication data.
Microsoft, for instance, supports 2FA in Windows 10 using Windows Hello, a non-password option for Microsoft accounts. It also authenticates users through Microsoft Active Directory, Azure AD and the Fast IDentity Online 2 authentication protocol.
How 2FA hardware tokens work
Hardware tokens for 2FA are available supporting different approaches to authentication. One popular hardware token is the Yubico's YubiKey, USB device that supports OTPs, public key encryption and authentication, and the Universal 2nd Factor protocol developed by the FIDO Alliance.
When users with a YubiKey log in to an online service that supports OTPs, such as Gmail, GitHub or WordPress, they insert their YubiKey into the USB port of their device, enter their password, click on the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.
The OTP is a 44-character, single-use password. The first 12 characters are a unique ID that represents the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key known only to the device and Yubico's servers, established during the initial account registration.
The OTP is sent from the online service to Yubico for authentication. Once the OTP is validated, the Yubico authentication server sends back a message confirming that the token is valid for the user, and the 2FA process is complete. The user provided two factors of authentication: The password is the knowledge factor, and the YubiKey is the possession factor.
Two-factor authentication for mobile devices
A trusted mobile device is one that a specific user controls and regularly uses for transactions requiring secure access. The authentication system knows the device and, with that knowledge, uses it to bypass steps in the authentication process. For instance, a trusted phone number can be used to receive verification codes by text message or automated phone call. A user must verify at least one trusted phone number to enroll in mobile 2FA.
Smartphones offer a variety of 2FA capabilities, enabling companies to use what works best for them. Some devices can recognize fingerprints, use the built-in camera for facial recognition or iris scanning, or use the microphone for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) can also be used as a channel for out-of-band authentication.
Apple iOS, Google Android and Windows 10 all have apps that support 2FA, enabling the phone to serve as the physical device to satisfy the possession factor. Platforms such as Cisco Duo, Okta Multifactor, RSA Security SecurID and Yubikey let customers use their trusted devices for 2FA. They establish that a user is trusted before verifying that the mobile device can also be trusted as an authentication factor.
Authenticator apps replace the need to obtain a verification code using text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password as their knowledge factor. They are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device, which is their possession factor.
Authentication standards
The following are open standard authentication protocols that form the basis for different authentication tools that support 2FA:
- FIDO. The FIDO Alliance developed this open standard, which uses public key cryptography. It's designed to eliminate the need for passwords, replacing them with phishing-resistant passkeys.
- OAuth 2.0. An abbreviation of open authorization, OAuth is an open standard that defines an authorization framework that protects system resources, such as files and applications. It provides authorization for application programming interfaces (APIs). It doesn't support mobile applications.
- OpenID Connect (OIDC). Developed by the OpenID Foundation, OIDC adds layers to the OAuth 2.0 protocol that support authentication and identity management. It also supports mobile applications, APIs and browser-based apps.
- Security Assertion Markup Language (SAML). Developed by the Organization for the Advancement of Structured Information Standards, SAML is an open standard for single sign-on access to browser-based applications such as web sites.
Push notifications for 2FA
A push notification is passwordless authentication that verifies a user by sending a notification directly to a secure app on the user's device, alerting the user that an authentication attempt is happening. The user can view details of the authentication attempt and either approve or deny access, typically with a single tap. If the user approves the authentication request, the server receives that request and logs the user in to the web app.
Push notifications authenticate the user by confirming that the device -- usually a mobile device -- registered with the authentication system is in the user's possession. If an attacker compromises the device, the push notifications are also compromised. Push notifications eliminate threats such as unauthorized access, social engineering and man-in-the-middle attacks.
While push notifications are more secure than other forms of authentication, there are security risks. For example, users can accidentally approve a fraudulent authentication request because they are used to tapping approve when they receive push notifications.
Is two-factor authentication secure?
Two-factor authentication improves security, but these systems are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011 when security company RSA reported its SecurID authentication tokens had been hacked.
The account recovery process in these systems can also be subverted when it's used to defeat two-factor authentication. Recovery processes often reset a user's current password and emails a temporary password to enable the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.
Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it's vulnerable to numerous attacks. The National Institute of Standards and Technology (NIST) has discouraged the use of SMS in 2FA services in its "Special Publication 800-63-3 (2023): Digital Identity Guidelines." NIST concluded that OTPs sent via SMS text are too vulnerable due to mobile phone number portability attacks, attacks against the mobile phone network and malware that can be used to intercept or redirect text messages.
Future of authentication
Environments that require higher security are starting to use three-factor authentication. It typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also used to determine whether a user should be authenticated or blocked.
Other authentication factors emerging include behavioral biometric identifiers, such as a user's keystroke length, typing speed and mouse movements. These are discreetly monitored in real time to provide continuous authentication instead of a single one-off authentication check during login.
Relying on passwords as the main method of authentication is common. But it often no longer offers the security or user experience that companies and their users demand. Even though legacy security tools, such as a password manager and MFA, attempt to deal with the problems of usernames and passwords, they depend on an essentially outdated architecture: the password database.
Consequently, many organizations are turning to passwordless authentication. Methods such as biometrics and secure protocols let users securely authenticate themselves in applications without having to enter passwords. For businesses, this means employees can access their work without passwords while IT still maintains control across every login. In addition, blockchain use has brought attention to decentralized identifiers and self-sovereign identity as an alternatives to traditional authentication methods.
User authentication is key to securing networks. Learn about the different authentication types available, including 2FA, biometrics and certificates.