Virtually everyone has been prompted to answer a security message or input an SMS messaging code to log in to some kind of account.
This extra step beyond username and password is two-factor authentication (2FA). These authentication methods of secondary verification, designed to ensure that a person is who they say they are, are examples of multi-factor authentication.
What is 2FA?
Two-factor authentication (2FA) is the requirement of additional verification beyond a username and password. Common examples of 2FA verification include security questions, SMS (short messaging service) messages, and push notifications.
2FA is a commonly used method of authentication used for situations in which someone may misspell a password, forget their password, log in from a new device, or perform any other potentially suspicious behavior. More than two requirements may be added to the authentication process. This is called multi-factor authentication (MFA).
What is two-factor authentication (2FA)?
Two-factor authentication is any method of identity validation layered on a traditional identity and password (lock and key) access method. A two-step authentication process is more reliable than a single layer of security.
Hackers and cybercriminals often send fraudulent emails through phishing attacks, develop fraudulent websites and perform many other kinds of social engineering to steal a person’s username and password. Without additional authentication methods, those basic credentials could grant criminals easy access to highly sensitive information.
This diagram demonstrates the two-step verification process as it is experienced by most users.
The goal of two-factor authentication is to make information and accounts more secure by restricting access unless the administrator's security criteria have been met. This can help prevent stolen laptops from being used to steal information and prevent bank accounts from being accessed with a stolen card.
Still, two-step authentication is not always sufficient. Some security questions may be easy to guess. It’s not hard to Google a person to find the street they live on, the car they drive, or their mother’s maiden name.
While it’s not a silver bullet that solves all access and security questions, it is an additional layer of security that can make it significantly more difficult for hackers and criminals to gain access to sensitive information.
Examples of two-factor authentication
These are a few examples of two-factor authentication commonly used to secure accounts on websites, applications and networks:
SMS text: SMS texts are sent to a mobile device associated with an account when the account is accessed from a new location or device, or when individuals request to reset their passwords. The individual receives a code they must enter online to reset their password.
Security questions: Users might be asked to set and answer security questions when initially setting up an account. They’re typically personal questions only the individual can answer. Some may be easier to guess than others, but examples include their mother’s maiden name, the street they grew up on or the first car they owned.
FaceID/Face Unlock: FaceID is used to log into Apple iOS devices, Face Unlock is the Android equivalent. The biometric factor is completed through a facial scan. If the facial scan fails to verify an individual’s identity, the device will require a passcode of some kind to verify the user.
Hardware tokens: Hardware tokens are typically provided by a business or financial institution so individuals can securely access systems remotely. It’s typically a keychain-sized physical device that generates an authentication key in the form of numbers or letters. Users input the key after an initial login to access the system.
Kinds of 2FA
Two-factor authentication methods are typically prompted in two forms. Some businesses or organizations may require every user to successfully fulfill two-factor authentication methods before granting access. Others may only prompt 2FA when a user forgets their password or logs in from a new IP address.
Perpetual two-factor authentication requires a hardware token-generating device or digital tokenization key of some kind. It is used for every login attempt to access a network, application or other IT system.
Companies may equip their employees with a device to generate security tokens. Whenever the employee logs into their system, they press a button on a small device and are presented with an alphanumeric security code. The employee then inputs this code and their identity is authenticated.
Banks, for example, require both a banking card and PIN to withdraw money from an ATM. The PIN can be thought of as a traditional password, but the banking card is a physical factor used as additional authentication for access and activity.
Triggered two-factor authentication is prompted by behaviors and actions of the individual attempting to gain access to sensitive information, an online account or private business system.
The most common example of triggered 2FA is found on virtually any website that requires a login. If you forget your password, the site will typically prompt an individual to receive an SMS text, email or push notification. The user then has to retrieve the alert and follow the steps to sufficiently verify their identity and update their password.
Another example of triggered 2FA can be found when linking two accounts online. One account will request access and the requesting individual must visit their existing account’s website or mobile application to verify that they were the individual that requested the access.
How does 2FA work?
The components of 2FA are typically categorized into five factors of authentication: knowledge, possession, inherence, location and time.
Knowledge: Knowledge factors refer to information an individual knows. They’re most commonly demonstrated in the form of a username and password. With this single factor of authentication, the user knows their access ID and the passcode associated with their account.
Possession: Possession factors refer to something physical that an individual has with them. This can be in the form of a device that generates security tokens, a smartphone or a banking card. Most of the time, possession factors are used as a complement to knowledge factors, rather than granting access directly.
Inherent: An inherent factor is something you are as an individual. Inherent factors are typically evaluated through a form of biometric authentication such as a fingerprint, face scan, or voice recognition.
Location: Location factors are becoming more commonly used in multi-factor authentication solutions. They are used to identify individuals hoping to access sensitive information from a new or unusual physical location. For example, if someone tries to log into an account from another country when they’re typically in their home country, systems may prompt additional authentication requirements.
Time: Much like location factors, time factors take into account the time of day an individual is requesting access. If someone always logs in at 9 AM but attempts to access an account at 11 PM or 2 AM, additional authentication methods may be prompted.
2FA vs. MFA and RBA
Two-factor authentication is very closely related to multi-factor authentication (MFA). Multi-factor authentication combines any number of authentication factors to validate someone’s identity.
Multi-factor authentication (MFA) may be triggered by a failed two-step authentication process or some kind of suspicious user behavior. It may also just be required as a multi-layered security method used to secure highly sensitive accounts, information or data.
Risk-based authentication (RBA) can be thought of as intelligent MFA. These systems continuously analyze any range of factors from passwords and login attempts to a user’s behavior and location.
RBA systems calculate risk scores based on the myriad factors they take into account. After calculating risk scores, users may be approved to access specified systems if they fall below the risk threshold. If an individual does not meet these standards and surpasses the risk threshold, they may be cut off from a network or prompted to fulfill further authentication processes.
For example, if an individual logs into an account from a new device, but was in a known location and in possession of their access credentials, they might be approved. But if an individual has an unknown device and IP address and attempts to gain access at an abnormal time of day, further authentication and/or quarantine processes may be triggered to restrict access and secure the account.
This diagram demonstrates three situations in which RBA might evaluate an individual and determine the level of risk associated with granting access.
Potential downsides to two-factor authentication
While the benefits of two-factor authentication are obvious — increased security and information protection — there are potential downsides.
Some authentication systems may assume an individual has access to a smartphone or email account. This can be inconvenient or impossible for individuals without an internet-enabled mobile device or without the specific mobile application required to confirm their identity. It can also be inconvenient for users who may have set up an account using an outdated email address or phone number.
If an individual loses a physical device such as a banking card or hardware token, it may be time-consuming and difficult to locate or replace. Users in desperate need of access to a bank account or financial service may be unable to perform their desired tasks.
Other downsides may be the result of user errors or forgetfulness, but the positive overall impact on security will likely outweigh any inconvenience experienced by users.
However, if you were hoping to learn how to avoid 2FA despite its security advantages, check out this article on how to turn off two-factor authentication.