This content is part of the Essential Guide: Windows 10 security guide to fortify your defenses

two-factor authentication (2FA)

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user's credentials and the resources the user can access. Two-factor authentication provides a higher level of assurance than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor -- typically a password or passcode. Two-factor authentication methods rely on users providing a password as well as a second factor, usually either a security token or a biometric factor like a fingerprint or facial scan.

Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts, because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users' credentials from being used by hackers who have stolen a password database or used phishing campaigns to obtain user passwords.

What are authentication factors?

There are several different ways in which someone can be authenticated using more than one authentication method. Currently, most authentication methods rely on knowledge factors like a traditional password, while two-factor authentication methods add either a possession factor or an inherence factor.

Authentication factors, listed in approximate order of adoption for computing, include:

  1. A knowledge factor is something the user knows, such as a password, a PIN or some other type of shared secret.
  2. A possession factor is something the user has, such as an ID card, a security token, a smartphone or other mobile device.
  3. An inherence factor, more commonly called a biometric factor, is something inherent in the user's physical self. These may be personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader; other commonly-used inherence factors include facial and voice recognition. It also includes behavioral biometrics, such as keystroke dynamics, gait or speech patterns.
  4. A location factor, usually denoted by the location from which an authentication attempt is being made, can be enforced by limiting authentication attempts to specific devices in a particular location, or more commonly by tracking the geographic source of an authentication attempt based on the source IP address or some other geolocation information derived from the user's mobile phone or other device such as GPS data.
  5. A time factor restricts user authentication to a specific time window in which logging on is permitted, and restricting access to the system outside of that window.

It should be noted that the vast majority of two-factor authentication methods rely on the first three authentication factors though systems requiring greater security may use them to implement multifactor authentication, which can rely on two or more independent credentials for more secure authentication.

What is two-factor authentication?

Two-factor authentication is a form of multifactor authentication. Technically, it is in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn't constitute 2FA; for example, requiring a password and a shared secret is still considered single-factor authentication, as they both belong to the same authentication factor -- knowledge.

two-factor authentication

As far as single factor authentication services go, user ID and password are not the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from many inside threats, like carelessly stored sticky notes with login credentials, old hard drives and social-engineering exploits. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks.

Given enough time and resources, an attacker can usually breach password-based security systems. Passwords have remained the most common form of single factor authentication because of their low cost, ease of implementation and familiarity. Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of single-factor authentication.

Types of two-factor authentication products

There are many different devices and services for implementing 2FA -- from tokens, to RFID cards, to smartphone apps.

Two-factor authentication products can be divided into two categories: tokens that are given to users to use when logging in, and infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.

Authentication tokens may be physical devices, such as key fobs or smart cards, or they may exist in software as mobile or desktop apps that generate PIN codes for authentication. These authentication codes, also known as one-time passwords, are usually generated by a server and can be recognized as authentic by an authentication device or app. The authentication code is a short sequence linked to a particular device, user or account and that can be used once as part of an authentication process.

Organizations need to deploy a system to accept, process and allow -- or deny -- access to users authenticating with their tokens. This may be deployed in the form of server software, a dedicated hardware server or provided as a service by a third-party vendor.

An important aspect of 2FA is ascertaining that the authenticated user is given access to all resources the user is approved for -- and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization's authentication data. Microsoft provides some of the infrastructure necessary for organizations to support 2FA in Windows 10 through Windows Hello, which can operate with Microsoft accounts, as well as authenticating users through Microsoft Active Directory (AD), Azure AD or with FIDO 2.0.

How 2FA hardware tokens work

Hardware tokens for 2FA are available supporting different approaches to authentication. One popular hardware token is the YubiKey, a small USB device that supports one-time passwords (OTP), public key encryption and authentication and the Universal 2nd Factor protocol developed by the FIDO Alliance. YubiKey tokens are sold by Yubico, Inc., based in Palo Alto, Calif.

When a user with a YubiKey logs into an online service that supports OTP, such as Gmail, GitHub or WordPress, they insert their YubiKey into the USB port of their device, enter their password, click in the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.

The OTP is a 44-character, single-use password; the first 12 characters are a unique ID that identifies the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key known only to the device and Yubico's servers, established during the initial account registration.

The OTP is sent from the online service to Yubico for authentication checking. Once the OTP is validated, the Yubico authentication server sends back a message confirming this is the right token for this user. The 2FA is complete. The user has provided two factors of authentication: Their password is the knowledge factor, and their YubiKey is the possession factor.

Two-factor authentication for mobile device authentication

Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them. Some devices are capable of recognizing fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) may also be used as a channel for out-of-band authentication.

Apple iOS, Google Android, Windows 10 and BlackBerry OS 10 all have apps that support 2FA, allowing the phone itself to serve as the physical device to satisfy the possession factor. Duo Security, based in Ann Arbor, Mich., and purchased by Cisco in 2018 for $2.35 billion, is a 2FA platform vendor whose product enables customers to use their trusted devices for 2FA. Duo's platform first establishes that a user is trusted before verifying that their mobile device can also be trusted for authenticating the user.

Biometric authentication for smartphones

Authenticator apps replace the need to obtain a verification code via text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, the user types in their username and password -- a knowledge factor. The user is then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, Authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, the user completes the user-verification process and proves possession of the correct device -- an ownership factor.

Is two-factor authentication secure?

While two-factor authentication does improve security -- because the right to access no longer relies solely on the strength of a password -- two-factor authentication schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA Security reported its SecurID authentication tokens had been hacked.

The account-recovery process itself can also be subverted when it is used to defeat two-factor authentication, because it often resets a user's current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.

Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks. NIST has deprecated use of SMS in 2FA services in its Special Publication 800-63-3: Digital Identity Guidelines. NIST concluded that one-time passwords sent via SMS are too vulnerable due to mobile phone number portability, attacks like the Signaling System 7 hack against the mobile phone network and malware like Eurograbber that can be used to intercept or redirect text messages.

Higher levels of authentication

Most attacks originate from remote internet connections, so 2FA makes these attacks less threatening. Obtaining passwords is not sufficient for access, and it is unlikely an attacker would also be able to obtain the second authentication factor associated with a user account.

However, attackers sometimes break an authentication factor in the physical world. For example, a persistent search of the target premises might yield an employee ID and password in the trash, or in carelessly discarded storage devices containing password databases. However, if additional factors are required for authentication, the attacker would face at least one more obstacle. Because the factors are independent, compromise of one should not lead to the compromise of others.

This is why some high-security environments require a more demanding form of multifactor authentication, such three-factor authentication, which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also being used to help determine whether a user should be authenticated or blocked. Additionally, behavioral biometric identifiers, like a user's keystroke length, typing speed and mouse movements, can also be discreetly monitored in real time to provide continuous authentication, instead of a single one-off authentication check during login.

This was last updated in August 2018

Continue Reading About two-factor authentication (2FA)

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I'm still waiting to hear "stand by for retina scan" a la Captain Kirk ;). Seriously, though, I think that passwords and password management, by virtue of it's difficulty to remember by everyday people but ease of hacking by computational methods, will have to give way to another method. Personally, I think the fingerprint sensor is a good first step, albeit by no means perfect. The fact that it has been around for two plus decades and is now finally making headway means there's still plenty of room to grow here.
Two-factor authentication is becoming more popular, but will take a while before its standardized globally. For newer generations to verify credentials this way, there must be a heavy reliance on mobile Internet devices. Other methods, such as fingerprint and face scan entries, are not necessarily accurate at this time.

It is certainly possible that text-entered passwords will be a way of the past in the next 25-50 years, but the way that happens is all-but-certain.
Do you think your grandchildren will use passwords? Or will passwords go the way of buggy whips and dial-up connections?
Passwords were a PITA long before they become useless. Cumbersome, difficult to remember, ever-changing. Their false sense of security is sometimes more dangerous than using nothing. No, PASSWORD123 will not keep your bank account secure. Then again, faced with an endless assault by computer crackers, neither will most secure passwords.

I have no faith in passwords and I'm no big fan of password-based 2-Factor authentication either. It's certainly better, but it only adds another layer of difficulty to its use. More secure it may be; user-friendly it's not.

That leaves DNA (coming soon to a UK bank), retinal scans, finger prints and whatever biometric privacy invasion comes next. They'll all do just fine for a while, until advertisers and governments invade the space so deeply that consumers cry for some level of privacy. Then we'll get on to Password 3.0, whatever that may be.
What has been your experience with two-factor authentication in your organization, including setup and day-to-day use?
What are the greatest challenges you've encountered relating to two-factor authentication?
Thank you for the article. Data security is really important today, new era - new threats. I believe that two factor authentication is even more secure than biometric one. That is why it is really better to choose it for data protection. All the companies you have mentioned are the dinosaurs on this market, but there are also newcomers, who provide not worth but even much better, cheaper and up-to-date service. If you are looking for modern, reliable and responsible 2FA provider, pay attention to this service. -
What is the cost of two step verification?
The cost, depending on what service or tech you're using, is usually either cheap or non-existent. For example, Google offers 2FA for its service at no cost (I highly recommend enabling free 2FA options for all such services). Third party 2FA tech, meanwhile, is usually very affordable. Yubico's 2FA Yubikeys start at around $10, for example.
A very informative article. I always have a lot of questions when it comes to security. Recently a fraudulent activity was performed on my account and a friend suggested to buy something like Norton security from my internet provider. Can anyone tell me where to look which providers offer these kind of security services?


File Extensions and File Formats

Powered by: