two-factor authentication (2FA)

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

In this context, the two factors involved are sometimes spoken of as something you have and something you know. A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it. Including those two elements makes it more difficult for someone to access the user’s bank account because they would have to have the physical item in their possession and also know the PIN.

According to proponents, two-factor authentication can drastically reduce the incidence of online identity theft, phishing expeditions, and other online fraud, because stealing the victim's password is not enough to give a thief access to their information.

What are authentication factors?

An authentication factor is an independent category of credential used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

Single-factor authentication (SFA) is based on only one category of identifying credential. The most common SFA method is the familiar user name and password combination (something you know). The security of SFA relies to some extent upon the diligence of users. Best practices for SFA include selecting strong passwords and refraining from automatic or social logins.

For any system or network that contains sensitive data, it's advisable to add additional authentication factors. Multifactor authentication (MFA) involves two or more independent credentials for more secure transactions.

Single-factor authentication (SFA) vs. two-factor authentication (2FA)

Although ID and password are two items, because they belong to the same authentication factor (knowledge), they are single factor authentication (SFA). It is really because of their low cost, ease of implementation and familiarity that passwords that have remained the most common form of SFA. As far as SFA solutions go, ID and password are not the most secure. Multiple challenge-response questions can provide more security, depending on how they are implemented, and standalone biometric verification methods of many kinds can also provide more secure single-factor authentication.

One problem with password-based authentication is that it requires knowledge and diligence to create and remember strong passwords. Passwords also require protection from many inside threats like carelessly discarded password sticky notes and old hard drives and social engineering exploits. Passwords are also prey to external threats such as hackers using brute force, dictionary or rainbow table attacks. Given enough time and resources, an attacker can usually breach password-based security systems. Two-factor authentication is designed to provide additional security.

2FA products

  • There are a huge number of devices and solutions for 2FA, from tokens to RFID cards to smartphone apps.
  • Offerings from some well-known companies:
  • RSA SecureID is still very common (although its SecurID was hacked in 2011).
  • Microsoft Phonefactor offers 2FA for a reasonable cost and is free to small organizations of 25 members or less.
  • Dell Defender is a multifactor authentication suite that offers biometrics and various token methods for 2FA and higher.
  • Google Authenticator is a 2FA app that works with any supporting site or service.
  • Apple’s iOS, iTunes store and cloud services all support 2FA to protect user accounts and content.

2FA for mobile authentication

Apples iOS, Google Android and Blackberry OS 10 all have apps supporting 2FA and other multifactor authentication. Some have screens capable of recognizing fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used in voice recognition. Many smartphones have GPS to verify location as an additional factor. Voice or SMS may also be used as a channel for out-of-band authentication. There are also apps that provide one time password tokens, allowing the phone itself to serve as the physical device to satisfy the possession factor.

Google Authenticator is a two-factor authentication app. To access websites or web-based services, the user types in his username and password and then enters a one-time passcode (OTP) that was delivered to his device in response to the login. The six-digit one time password changes once every 30-60 seconds and serves again to prove possession as an authentication factor.

Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them.

Is two-factor authentication secure?

Opponents argue (among other things) that, should a thief gain access to your computer, he can boot up in safe mode, bypass the physical authentication processes, scan your system for all passwords and enter the data manually, thus -- at least in this situation -- making two-factor authentication no more secure than the use of a password alone.

Higher levels of authentication for more secure communications

Some security procedures now require three-factor authentication (3FA), which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerscanning or a voiceprint.

An attacker may occasionally break an authentication factor in the physical world. A persistent search of the target premises, for example, might yield an employee card or an ID and password in an organization’s trash or carelessly discarded storage containing password databases. If additional factors are required for authentication, however, the attacker would face at least one more obstacle.

The majority of attacks come from remote internet connections. 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one should not lead to the fall of others.

This was last updated in March 2015

Next Steps

Authentication comes in all sizes and flavors, and security pros need to know as much about multifactor authentication as possible. Learn how to build a business case for MFA.

Be sure to read about the most popular MFA products on the market as well as our in-depth profiles of Vasco IDENTIKEY Server v3.6 , Symantec Validation and ID Protection Service , SafeNet Authentication Service and SecureAuth idP v8.0.

Continue Reading About two-factor authentication (2FA)

Dig Deeper on Two-Factor and Multifactor Authentication Strategies



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I'm still waiting to hear "stand by for retina scan" a la Captain Kirk ;). Seriously, though, I think that passwords and password management, by virtue of it's difficulty to remember by everyday people but ease of hacking by computational methods, will have to give way to another method. Personally, I think the fingerprint sensor is a good first step, albeit by no means perfect. The fact that it has been around for two plus decades and is now finally making headway means there's still plenty of room to grow here.
Two-factor authentication is becoming more popular, but will take a while before its standardized globally. For newer generations to verify credentials this way, there must be a heavy reliance on mobile Internet devices. Other methods, such as fingerprint and face scan entries, are not necessarily accurate at this time.

It is certainly possible that text-entered passwords will be a way of the past in the next 25-50 years, but the way that happens is all-but-certain.
Do you think your grandchildren will use passwords? Or will passwords go the way of buggy whips and dial-up connections?
Passwords were a PITA long before they become useless. Cumbersome, difficult to remember, ever-changing. Their false sense of security is sometimes more dangerous than using nothing. No, PASSWORD123 will not keep your bank account secure. Then again, faced with an endless assault by computer crackers, neither will most secure passwords.

I have no faith in passwords and I'm no big fan of password-based 2-Factor authentication either. It's certainly better, but it only adds another layer of difficulty to its use. More secure it may be; user-friendly it's not.

That leaves DNA (coming soon to a UK bank), retinal scans, finger prints and whatever biometric privacy invasion comes next. They'll all do just fine for a while, until advertisers and governments invade the space so deeply that consumers cry for some level of privacy. Then we'll get on to Password 3.0, whatever that may be.
Thank you for the article. Data security is really important today, new era - new threats. I believe that two factor authentication is even more secure than biometric one. That is why it is really better to choose it for data protection. All the companies you have mentioned are the dinosaurs on this market, but there are also newcomers, who provide not worth but even much better, cheaper and up-to-date service. If you are looking for modern, reliable and responsible 2FA provider, pay attention to this service. -
What is the cost of 2 step verification?


File Extensions and File Formats

Powered by: