two-factor authentication (2FA)

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

In this context, the two factors involved are sometimes spoken of as something you have and something you know. A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it. Including those two elements makes it more difficult for someone to access the user’s bank account because they would have to have the physical item in their possession and also know the PIN.

According to proponents, two-factor authentication can drastically reduce the incidence of online identity theft, phishing expeditions, and other online fraud, because stealing the victim's password is not enough to give a thief access to their information.

What are authentication factors?

An authentication factor is an independent category of credential used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

Single-factor authentication (SFA) is based on only one category of identifying credential. The most common SFA method is the familiar user name and password combination (something you know). The security of SFA relies to some extent upon the diligence of users. Best practices for SFA include selecting strong passwords and refraining from automatic or social logins.

For any system or network that contains sensitive data, it's advisable to add additional authentication factors. Multifactor authentication (MFA) involves two or more independent credentials for more secure transactions.

Single-factor authentication (SFA) vs. two-factor authentication (2FA)

Although ID and password are two items, because they belong to the same authentication factor (knowledge), they are single factor authentication (SFA). It is really because of their low cost, ease of implementation and familiarity that passwords that have remained the most common form of SFA. As far as SFA solutions go, ID and password are not the most secure. Multiple challenge-response questions can provide more security, depending on how they are implemented, and standalone biometric verification methods of many kinds can also provide more secure single-factor authentication.

One problem with password-based authentication is that it requires knowledge and diligence to create and remember strong passwords. Passwords also require protection from many inside threats like carelessly discarded password sticky notes and old hard drives and social engineering exploits. Passwords are also prey to external threats such as hackers using brute force, dictionary or rainbow table attacks. Given enough time and resources, an attacker can usually breach password-based security systems. Two-factor authentication is designed to provide additional security.

2FA products

  • There are a huge number of devices and solutions for 2FA, from tokens to RFID cards to smartphone apps.
  • Offerings from some well-known companies:
  • RSA SecureID is still very common (although its SecurID was hacked in 2011).
  • Microsoft Phonefactor offers 2FA for a reasonable cost and is free to small organizations of 25 members or less.
  • Dell Defender is a multifactor authentication suite that offers biometrics and various token methods for 2FA and higher.
  • Google Authenticator is a 2FA app that works with any supporting site or service.
  • Apple’s iOS, iTunes store and cloud services all support 2FA to protect user accounts and content.

2FA for mobile authentication

Apples iOS, Google Android and Blackberry OS 10 all have apps supporting 2FA and other multifactor authentication. Some have screens capable of recognizing fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used in voice recognition. Many smartphones have GPS to verify location as an additional factor. Voice or SMS may also be used as a channel for out-of-band authentication. There are also apps that provide one time password tokens, allowing the phone itself to serve as the physical device to satisfy the possession factor.

Google Authenticator is a two-factor authentication app. To access websites or web-based services, the user types in his username and password and then enters a one-time passcode (OTP) that was delivered to his device in response to the login. The six-digit one time password changes once every 30-60 seconds and serves again to prove possession as an authentication factor.

Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them.

Is two-factor authentication secure?

Opponents argue (among other things) that, should a thief gain access to your computer, he can boot up in safe mode, bypass the physical authentication processes, scan your system for all passwords and enter the data manually, thus -- at least in this situation -- making two-factor authentication no more secure than the use of a password alone.

Higher levels of authentication for more secure communications

Some security procedures now require three-factor authentication (3FA), which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerscanning or a voiceprint.

An attacker may occasionally break an authentication factor in the physical world. A persistent search of the target premises, for example, might yield an employee card or an ID and password in an organization’s trash or carelessly discarded storage containing password databases. If additional factors are required for authentication, however, the attacker would face at least one more obstacle.

The majority of attacks come from remote internet connections. 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one should not lead to the fall of others.

This was last updated in March 2015

Next Steps

Authentication comes in all sizes and flavors, and security pros need to know as much about multifactor authentication as possible. Learn how to build a business case for MFA.

Be sure to read about the most popular MFA products on the market as well as our in-depth profiles of Vasco IDENTIKEY Server v3.6 , Symantec Validation and ID Protection Service , SafeNet Authentication Service and SecureAuth idP v8.0.

Continue Reading About two-factor authentication (2FA)

Dig Deeper on Two-Factor and Multifactor Authentication Strategies



Find more PRO+ content and other member only offers, here.

Related Discussions

Margaret Rouse asks:

Do you think your grandchildren will use passwords? Or will passwords go the way of buggy whips and dial-up connections?

3  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by: