With two-factor authentication (2FA), users must prove their identity through two different means before being granted access.
What is two-factor authentication?
Two-factor authentication, abbreviated as 2FA, is an authentication process that requires two different authentication factors to establish identity. It means requiring users to prove their identity in two ways before granting access. 2FA is one form of multi-factor authentication.
What is authentication?
Authentication is an important component of access control. It is the security practice of confirming that someone is who they claim to be. A traveler showing their passport to a customs agent is one example.
In cybersecurity, the most common example of authentication is logging into a service on the web, such as signing into Gmail in a web browser or logging in on the Facebook app. When a user provides a username and password combination, the service can confirm these details and use them to authenticate the user.
What is an authentication factor?
Authentication factors are different classes of identity verification methods. Some commonly used authentication factors for 2FA include:
- Knowledge: This is a piece of information that only the user should know, such as a password or the answer to a security question.
- Possession: This factor relies on the user maintaining physical possession of an object. For example, a hardware key that can generate passcodes or a mobile device that can send codes.
- Biometric Data: These are unique biological traits of the user that can be used in authentication. Examples include fingerprints, retinal scans, and face IDs.
- Location: Location-based tools like GPS can restrict user authentication within a specified geographic region.
It should be noted that requiring two instances of the same authentication factor does not qualify as 2FA. For example, requiring a password and a security question is still single-factor authentication. Both of these pertain to the factor of knowledge.
How does two-factor authentication work?
Two-factor authentication can work in multiple ways. One of the most common examples of 2FA requires a username/password verification and an SMS text verification.
In this example, when the user creates an account for a service, they must provide a unique username, a password, and a mobile phone number. When users log into that service, they provide their username and password. This provides the first authentication factor (knowledge; the user has proven that they know their unique login credentials).
Next, the service will send the user an automated text message with a numerical code. The user will then get prompted to enter the numerical code. Assuming the code is correct, the user has provided a second authentication factor (possession; the user has their mobile device). Now, the conditions for 2FA have been met, and the user can be authenticated and granted access to their account.
Why use two-factor authentication?
Password-based security has become too easy to exploit by attackers. With the prevalence of phishing scams, on-path attacks, brute force attacks, and password re-use, it has become increasingly simple for attackers to collect stolen login credentials. These stolen credentials can be traded or sold in credential-stuffing attacks. For this reason, 2FA is becoming more and more commonplace.
Stronger identity verification has also increased in importance as remote workforces become more common. Since employees’ physical presence in the office cannot be used to verify their identity, measures like 2FA help ensure that their accounts have not been compromised.
Security experts generally recommend that users enable 2FA whenever possible and request it from services that handle sensitive user data but don’t currently offer 2FA. While 2FA is not impossible for attackers to crack, it is significantly more difficult and expensive to compromise than password-only authentication.
Is SMS-based two-factor authentication secure?
SMS-based 2FA (text-message verification) is much more secure than single-factor authentication (password-only). That being said, SMS is among the least secure 2FA methods. The SMS protocol is not very secure, and attackers can intercept SMS messages.
There are other ways to implement 2FA using a more secure mobile device: sending the verification code through a secure app that uses strong encryption. Google and other major Internet services use time-based one-time passwords (TOTP). With TOTP, a client (often an app running on a smartphone) creates a temporary single-use code based on the time of day. These codes have an extremely short lifespan, typically less than a minute. This tight timeline makes it extremely challenging for an attacker to intercept and decrypt the code before it expires.
There is also an emerging 2FA technology called ‘Sound-Proof,’ which uses ambient noise picked up by microphones built into mobile devices and laptops. Sound-Proof works by comparing ambient noise samples to ensure that both devices are in the same room.
Are there drawbacks to two-factor authentication?
While 2FA is helping make the Internet more secure, a few drawbacks should be considered. For example, 2FA may discourage less technically savvy users, for whom downloading and navigating smartphone verification apps can be challenging.
Requiring 2FA for a service can also create some economic barriers to entry. Not all users have the modern smartphones required for many 2FA methods. Additionally, mobile data is very expensive in some parts of the world, so even those with smartphones may suffer economic consequences for downloading a 2FA verification app.
2FA also imposes business costs for those managing the service. 2FA is much more difficult to implement than password-only authentication, and a business providing 2FA will either have to incur setup costs or pay a third-party service to provide the authentication at an ongoing cost. Smaller businesses may forgo the increased security of 2FA because they cannot afford to support it.