Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor -- typically a password.
Two-factor authentication provides an additional layer of security and makes it harder for attackers to gain access to a person's devices and online accounts, because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have stolen a password database or used phishing campaigns to obtain users' passwords.
What are authentication factors?
The ways in which someone can be authenticated usually fall into three categories known as the factors of authentication, which include:
3. Inherence factors, more commonly called biometrics -- something the user is. These may be personal attributes mapped from physical characteristics, such as fingerprints, face and voice. It also includes behavioral biometrics, such as keystroke dynamics, gait or speech patterns.
Systems with more demanding requirements for security may use location and time as fourth and fifth factors. For example, users may be required to authenticate from specific locations, or during specific time windows.
Multifactor authentication involves two or more independent credentials for more secure transactions.
Single-factor authentication vs. two-factor authentication
Using two factors from the same category doesn't constitute 2FA; for example, requiring a password and a shared secret is still considered single-factor authentication, as they both belong to the same authentication factor -- knowledge.
As far as SFA services go, user ID and password are not the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from many inside threats, like carelessly stored sticky notes with login credentials, old hard drives and social-engineering exploits. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks.
Given enough time and resources, an attacker can usually breach password-based security systems. Passwords have remained the most common form of SFA because of their low cost, ease of implementation and familiarity. Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of single-factor authentication.
Types of two-factor authentication products
There are many different devices and services for implementing 2FA -- from tokens, to RFID cards, to smartphone apps.
Two-factor authentication products can be divided into two parts: tokens that are given to users to use when logging in, and infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.
On the other side, organizations need to have some system in place to accept, process and allow -- or deny -- access to users authenticating with their tokens. This may be server software, a dedicated hardware server or provided as a service by a third-party vendor.
An important part of 2FA is being sure the authenticated user is given access to all resources the user is approved for -- and only those resources -- so one important function of 2FA is linking the authentication system with an organization's authentication data. Microsoft provides some of the infrastructure necessary for organizations to support 2FA in Windows 10 through Windows Hello, which can operate with Microsoft accounts, as well as authenticating users through Microsoft Active Directory (AD), Azure AD or with FIDO 2.0.
How a typical 2FA hardware token works
There are all sorts of hardware tokens supporting various methods of authentication. One popular hardware token, YubiKey, is a small USB device that supports one-time passwords (OTP), public key encryption and authentication, and the Universal 2nd Factor protocol developed by the FIDO Alliance.
When a user with a YubiKey wants to log into an online service that supports OTP, such as Gmail, GitHub or WordPress, they first insert their YubiKey into the USB port of their device, enter their password, click in the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.
The OTP is a 44-character, single-use password; the first 12 characters are a unique ID that identifies the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key known only to the device and Yubico's servers, established during the initial account registration.
The OTP is sent from the online service to Yubico for authentication checking. Once the OTP is validated, the Yubico authentication server sends back a message confirming this is the right token for this user. The 2FA is complete. The user has provided two factors of authentication: Their password is the knowledge factor, and their YubiKey is the possession factor.
Two-factor authentication for mobile authentication
Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them. Some devices have screens capable of recognizing fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) may also be used as a channel for out-of-band authentication.
Authenticator apps replace the need to obtain a verification code via text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, the user types in their username and password -- a knowledge factor. The user is then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, Authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, the user completes the user-verification process and proves possession of the correct device -- an ownership factor.
Is two-factor authentication secure?
While two-factor authentication does improve security -- because the right to access no longer relies solely on the strength of a password -- two-factor authentication schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer, and one of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA Security reported its SecurID authentication tokens had been hacked.
The account-recovery process itself can also be subverted when it is used to defeat two-factor authentication, because it often resets a user's current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.
Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks. In fact, the National Institute of Standards and Technology (NIST) deprecated use of SMS in 2FA services, in Special Publication 800-63-3: Digital Authentication Guidelines. NIST concluded one-time passwords sent via SMS are too vulnerable due to mobile phone number portability, attacks like the Signaling System 7 hack against the mobile phone network, and malware like Eurograbber that can intercept or redirect text messages.
Higher levels of authentication for more secure communications
Most attacks originate from remote internet connections, so 2FA makes these attacks less threatening, because obtaining passwords is not sufficient for access, and it is unlikely an attacker would also be able to obtain the second authentication factor associated with a user account.
However, attackers sometimes break an authentication factor in the physical world. A persistent search of the target premises, for example, might yield an employee ID and password in the trash, or in carelessly discarded storage devices containing password databases. If additional factors are required for authentication, however, the attacker would face at least one more obstacle. Because the factors are independent, compromise of one should not lead to the compromise of others.
This is why some high-security environments require three-factor authentication, which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also being used to help determine whether a user should be authenticated or blocked. Additionally, behavioral biometric identifiers, like a user's keystroke length, typing speed and mouse movements, can be discreetly monitored in real time to provide continuous authentication, instead of a single one-off authentication check during login.
Continue Reading About two-factor authentication (2FA)
- NIST provides guidelines for two-factor authentication in its Special Publication 800-63-3: Digital Authentication Guidelines.