Two-factor authentication, abbreviated as 2FA, is an authentication process that requires two different authentication factors to establish identity. In a nutshell, it means requiring a user to prove their identity in two different ways before granting them access.
Authentication is an important component of access control. It is the security practice of confirming that someone is who they claim to be. A traveler showing their passport to a customs agent is one example.
In the scope of cybersecurity, the most common example of authentication is logging into a service on the web, such as signing into Gmail in a web browser or logging in on the Facebook app. When a user provides a username and password combination, the service can confirm these details and use them to authenticate the user.
Authentication factors are different classes of identity verification methods. Some commonly used authentication factors for 2FA include:
It should be noted that requiring two instances of the same authentication factor does not qualify as 2FA. For example, requiring a password as well as a security question is still single-factor authentication. Both of these pertain to the factor of knowledge.
A common example of 2FA requires a username/password verification and an SMS text verification. In this example, when the user creates an account for a service they must provide a unique username, a password, and their mobile phone number.
When the user logs into that service, they provide their username and password. This provides the first authentication factor (knowledge; the user has proven that they know their unique login credentials). Next, the service will send the user an automated text message with a numerical code. The user will then get prompted to enter the numerical code. Assuming the code is correct, the user has provided a second authentication factor (possession; the user is in possession of their mobile device). Now the conditions for 2FA have been met and the user can be authenticated and granted access to their account.
Password-based security has become too easy to exploit by attackers. With the prevalence of phishing scams, on-path attacks, brute force attacks, and password re-use, it has become increasingly simple for attackers to collect stolen login credentials. These stolen credentials can be traded or sold for use in credential stuffing attacks. For this reason, 2FA is becoming more and more commonplace.
Stronger identity verification has also increased in importance as remote workforces become more common. Many company employees no longer come into the office and instead work remotely. Since their physical presence in the office cannot be used to verify their identity, measures like 2FA help ensure that their accounts have not been compromised.
Security experts generally recommend that users enable 2FA whenever possible, as well as requesting it from services that handle sensitive user data but don’t currently offer 2FA. While 2FA is not impossible for attackers to crack, it is significantly more difficult and expensive to compromise than password-only authentication.
SMS-based 2FA (text-message verification) is much more secure than single-factor authentication (password-only). That being said, SMS is among the least secure 2FA methods. The SMS protocol is not very secure and SMS messages can be intercepted by attackers.
There are other ways to do 2FA using a mobile device that are more secure: for example, sending the verification code through a secure app that uses strong encryption. Google and many other big Internet services use time-based one-time passwords (TOTP). With TOTP, a client (often an app running on a smartphone) creates a temporary single-use code based on the time of day. These codes have an extremely short lifespan, typically less than a minute. This tight timeline makes it extremely challenging for an attacker to intercept and decrypt the code before it expires.
There is also an emerging 2FA technology called ‘Sound-Proof’, which uses ambient noise picked up by the microphones built into mobile devices and laptops. Sound-Proof works by comparing the samples of ambient noise to ensure that both devices are in the same room.
While 2FA is helping make the Internet more secure, there are a few drawbacks that should be considered. For example, 2FA may discourage less technically savvy users, for whom downloading and navigating smartphone verification apps can be a challenge.
Requiring 2FA for a service can also create some economic barriers to entry. Not all users have the modern smartphones required for many 2FA methods. Additionally, mobile data is very expensive in some parts of the world, so even those with smartphones may suffer economic consequences for downloading a 2FA verification app.
2FA also imposes business costs for those managing the service. 2FA is much more difficult to implement than password-only authentication, and a business providing 2FA will either have to incur setup costs or pay a third-party service to provide the authentication at an ongoing cost. Smaller businesses may forgo the increased security of 2FA because they simply cannot afford to support it.