Two-factor Authentication (2FA): What It Is and What You Need To Know

Cybersecurity sometimes feels like an endless game of cat and mouse, with hackers and companies battling over access to your business systems and the sensitive data you store, including your users’ identity information and passwords. From online banking apps to digitized school records, more and more enterprises are securing access by implementing 2-factor authentication of users instead of relying on a simple password.

Let’s explore 2-factor authentication in more detail, including a close look at how it works and the value it provides for users and companies alike.
 

What Is Two-factor Authentication?

Two-factor authentication (2FA) refers to the dual verification of a user’s identity at the point of sign on, involving two unique steps during which a user presents credentials. You may know it as dual-factor authentication or as adding a verification code. It adds an additional layer of security to protect a user's account from hackers who may have guessed their password or otherwise stolen their primary credentials.

Typically, two-factor authentication involves the user providing a password and then a second authentication factor, such as a fingerprint, a physical token or card, or a one-time passcode (OTP) sent to their phone. It's a process that's put in place to protect sensitive data and ensures that simply possessing a password isn't enough to gain access.

It's valuable for both customers and workforce users because it protects an individual's data and ensures that employees are able to access the company resources they need to get their jobs done. Using 2FA versus single-factor authentication (SFA) is table stakes for authentication in today’s environment, as it materially increases the attacker’s effort and its rate of compromise is far lower than SFA/password-based authentication alone. 
 

What are authentication factors?

There are several authentication factors, and they fall into three main categories: 

• Knowledge: This is something that the user knows, including a PIN (personal identification number), password or answers to security questions.

• Possession: This is something that belongs to the user, including security tokens, an ID card or their mobile phone, which can approve authentication requests sent by an app.

• Biometric: This is something inherent to the user themselves, usually a biometric factor like a fingerprint, facial recognition or voice authentication.

It’s important to remember that two-factor authentication relies on two authentication factors from different categories, such as one knowledge factor and one possession factor. Using separate factors from the same category (i.e., two passwords, or a password and an answer to a secret question) doesn't meet the definition of 2-factor authentication, since both are from the same family of authentication types. Many authentication processes depend on a knowledge factor, such as a password. In that case, two-factor authentication then adds in either a possession factor or a biometric factor.

An enterprise can choose to combine authentication factors in a way that makes sense for their needs. For example, a mobile app developer might require a password and a fingerprint, since users will be accessing the app on their personal phones. A developer creating workforce applications that are accessed via a computer, on the other hand, may choose different factors. 

Companies may also add risk or contextual “factors” to their authentication flows, to better understand the risks associated with each authentication and step up security or step down access when the risk is high. These are not credentials that the user presents to verify their identity, but rather contextual information like location, time of day, or even typical behavioral patterns that indicate to the authentication system that access should be allowed, blocked or scrutinized more closely.

For example, if a user has already authenticated recently from the same spot, that could be a signal that their current request for access is low-risk. If a user’s device is located in a foreign country and they are signing on at an unusual time, it could be an indication that something fishy is going on. The system can then block access, even if they have the right password. 

It’s worth noting that 2FA is a subset of multi-factor authentication (MFA), which involves two or more factors. If more than two factors are needed for added security, MFA offers the potential for another step of authentication.

How Does Two-factor Authentication Work?

Two-factor authentication is fairly straightforward, although the factors themselves will vary according to the application. Here's a typical example of how it works:

1. The user logs into the software or website, often by entering a username and password.

2. The identity service verifies the user’s credentials based on an entry in the company’s identity directory, created when the user registered for an account or an employee onboarded with the company.

3. If required, the identity service then prompts the second log-in step, like a security token or their fingerprint.

4. The user will then provide the required second factor.

5. Once both factors are entered, the user is verified and has access to the application.

How Do I Set Up Two-Factor Authentication?

There are a few different ways that companies can set up 2-factor authentication for customers, employees or both. 

A popular 2FA setup is two-factor authentication based on mobile device capabilities, such as a smartphone’s fingerprint reader, camera for facial recognition or scanning, or microphone for voice recognition. In addition, the GPS in smartphones can also be used for location verification.

Mobile phones can house third-party authentication apps like Google Authenticator. Android, iOS and Windows 10 all have a library of apps that support 2FA; when the user logs in, the app generates a unique code, valid for a set period of time, which the user then enters into the app's login screen to complete the verification process. 

Some businesses make authentication both easier and more secure for customers by enabling 2FA from their own custom mobile application that the customer is likely to be already using. This allows them to send push notifications to the user’s phone without making them download a whole separate app. Adding a trusted device can be done in a few easy steps so customers can quickly start utilizing this capability. Or, users can receive authentication codes via SMS text messages or phone calls, although SMS is notoriously insecure as SMS messages are vulnerable to being intercepted by malicious third parties. 

For workforce 2FA, a company will usually use a cloud-based service or install software that enables 2FA across all their business applications, or alongside their single sign-on system to further protect the single point of access. This software often makes use of employee mobile devices for authentication via mobile push notifications or SMS one-time passcodes, but may also enable other types of authentication factors.

One of these factors, more common for workforce use cases than customer use cases, is tokens. Authentication tokens are typically given to an employee when they join a company, and they use the token to verify their identity whenever they need to log in. These tokens can consist of physical devices, like a smart ID card, key fob or other small, programmable item, or they can be virtual tokens that are generated by the software itself. These take the form of one-time access codes or PINs that act as one of the authentication factors. These are usually generated once each log-in session, and, since they're a one-time use token, they’re much harder for hackers to access or duplicate.
 

What Is an Example of Two-Factor Authentication?

There are many examples of two-factor authentication in action—but bear in mind that two-factor authentication involves using two factors, not two credentials of the same category of factors. For instance:

• During ATM withdrawals, the user has their ATM card from the bank (possession or ownership factor) and then enters their PIN (knowledge factor).

• A user-set password (knowledge) combined with an authenticator (a token or smartphone) that the user possesses, which has a one-time code sent to it.

• Fingerprint log-in for smartphone apps. The user enters their username and password (knowledge) and then their fingerprint (biometric factor).
   

What Is the Difference between 2FA and Multi-factor Authentication (MFA)?

Essentially, two-factor authentication uses exclusively two factors to authenticate a user, while multi-factor authentication involves two or more. MFA, then, is a broader term that also encompasses 2FA, though the terms are sometimes used interchangeably.
 

Is MFA More Secure than 2FA?

2FA is not necessarily less secure than MFA, but organizations that require the highest levels of security may look to go beyond just two factors, such as requiring possession of tokens, knowledge and biometric factors unlikely to be duplicated. They may also augment security by collecting contextual data like location. If a user attempts to log in from an unauthorized location, then access is blocked. The security system can also deactivate the user's login ID, token or both until the issue of unauthorized location access attempts has been resolved.

Biometric factors are considered to be the most secure since it's unlikely that the user's fingerprints can be obtained, or that their face or voice can be mimicked to obtain access. However, if the process is too cumbersome, users may become frustrated and try a workaround or, in the case of customer authentication, switch to a competitor's application.
 

What Is the Difference between Two-factor Authentication and Two-step Authentication?

Two-factor authentication uses a combination of factors from two different categories in an effort to reduce the chances of both types of factors being compromised. Two-step authentication processes, on the other hand, may involve two steps of the same type of factor, such as typing in a password and then answering a series of security questions, which both belong to the knowledge category.
 

Why Do Businesses and Companies Need 2FA?

Weak and default passwords or passwords stolen through phishing and other attack methods are still being used to execute successful fraud attacks and data breaches. Even long, digitally strong passwords may end up being compromised by the user writing down or sharing the password, or by hackers running random generators, using brute force, or using rainbow table attacks to access user logins and passwords. 2FA requires another authentication factor from a different category, so that even if a password is breached, the likelihood of an impostor gaining access is much lower.
 

Learn More

Two-factor authentication is a vital part of security for any type of online application, from the workplace to banking to online shopping. Making these systems easy to use while protecting the user is the hallmark of the best kinds of 2FA. Implementing industry-leading two-factor identification can benefit businesses, schools, governments and the individual users themselves.

To learn more about how to protect your organization and your end users, see our white paper Multi-factor Authentication: Best Practices for Securing the Modern Digital Enterprise.

FAQs