2FA is a login protocol that improves security for organizations and individuals. It is increasingly adopted by enterprises and governments as the mobile devices and applications that enable it become more ubiquitous, as cyberattacks increase in volume, and with the shift to new security frameworks.
What is two-factor authentication (2FA)?
Two-factor authentication (2FA) is an authentication process that requires users to verify their identity through two different authentication factors in separate channels. 2FA is also known as two-step verification and dual-factor authentication, although there is some dispute as to whether these terms should be distinguished from one another. 2FA is a subset of multi-factor authentication (MFA) and is the foundation of a zero trust security model.
2FA protects against cyberattacks that exploit weak or stolen credentials to access restricted information, as well as unintended access by unauthorized parties. Due to the additional layer of security over single-factor authentication (SFA), 2FA has been adopted by enterprises, governments, and other organizations to protect both a user’s access credentials and the resources being accessed.
How does 2FA work?
When a user attempts to gain access to restricted resources, they are first prompted to verify their identity or credentials through a security challenge. This could be a prompt to enter something the user knows, such as the combination of username and password.
The site’s server matches the information to the user account, or it issues and validates a unique security key. Upon passing the first security challenge, a second security challenge or login step is issued.
The second factor occurs on a different (out-of-band) channel, such as a mobile device or application. Any combination of authentication factors that do not use the same channel could be used for 2FA. The use of two authentication factors that are not delivered through the same channel increase the difficulty of an unauthorized user intentionally or unintentionally gaining access to sensitive information, although security vulnerabilities still exist.
There are dozens of authentication factors, but they fall into five main categories:
- Knowledge factor – requests information known only by the user, such as a password, personal identification number (PIN), or other secret.
- Possession factor – verifies the possession of or uses something only the user has, such as an ID card scan, a security token, or a one-time code sent to a mobile device or application.
- Inherence factor or biometric factor – verifies identity through a physical characteristic inherent to the user, such as fingerprint, retina or iris scan, facial features, keystroke dynamics, or speech patterns.
- Location factor – verifies identity through noting the location of the access attempt and uses such factors as internet protocol (IP) address and global positioning system (GPS) data from a user’s access device.
- Time factor – verifies identity by noting the time of access attempts under the assumption that access behaviors are more likely to occur during predictable periods of time.
While 2FA or any MFA is inherently more secure than SFA, the respective authentication factors differ in terms of convenience, cost, and risk.
Advantages and disadvantages of 2FA
Due to the additional authentication factor compared to SFA, 2FA is in theory more secure than SFA. Due to 2FA’s increased strictness at the login stage, an organization’s overall risk may decrease. Fewer losses occur due to fewer breaches, and the risk mitigation allows the organization to reduce security measures at other layers of account access, thereby decreasing overall security costs.
On the other hand, 2FA is more complicated to set up and maintain than SFA and potentially requires greater technical expertise, upfront costs, and cost over time than SFA. Losing a 2FA device such as a phone or third-party authenticator can result in increased security risk and difficult account recovery. Moreover, no authentication factor is tamper-proof, as each authentication factor carries its own particular vulnerability to attacks.
Trends and alternatives to 2FA
While passwords remain a common authentication factor, organizations have been shifting toward passwordless authentication – using two authentication factors that are not passwords – due to the particular security vulnerability of passwords. Password storage in databases, plus weak password security practices, can result in mass breaches.
Organizations are also moving away from SMS 2FA, as the channel has considerable vulnerabilities. Other trends in 2FA include login through social media as an authentication factor, omnichannel authentication, blockchain as an authentication factor, and a shift toward three-factor authentication (3FA).