What is two-factor authentication?
Two-factor authentication—commonly referred to as 2FA, two-step verification, 2-step verification, or dual-factor authentication—is a security procedure that requires account users to verify their identity in two different ways prior to granting them access to user accounts. This process is a form of multi-factor authentication requiring exactly two forms of the five commonly accepted authentication factors. Many companies utilize multi-factor authentication (MFA) software to achieve this.
Two-factor authentication is more secure than single-factor authentication, which is typically a knowledge factor (something a user knows), such as username and password. The most common forms of second authentication factors are one-time passwords (OTPs) sent via SMS and email or derived from an authenticator app or hardware token.
Types of two-factor authentication
The five commonly accepted authentication factors are knowledge, possession, inherence, location, and behavior.
- Knowledge: This factor requires users to authenticate with something they know. The most common single-factor authentication is password-based authentication. This is considered insecure because people may use weak passwords or passwords that are easily compromised.
- Possession: This authentication factor requires users to authenticate with something they have. Users have to provide the information they have, usually, a code provided by an authenticator app on their mobile devices, SMS or text message, software token (soft token), or hardware token (hard token). The code provided can be either an HMAC-based one-time password (HOTP) that does not expire until used or a time-based one-time password (TOTP) that expires in 30 seconds.
- Inherence: This requires users to authenticate with what they are. It takes into account something unique to the user, such as biometric factors. Biometric authentication can include fingerprint scans, finger geometry, palm print or hand geometry scans, and facial prints. Using biometric authentication software is becoming increasingly common as biometric logins on mobile devices, including facial recognition software and fingerprint scanning capabilities, have gained in popularity among consumers. Other biometric authentication methods, such as ear shape recognition, voiceprints, retina scans, iris scans, DNA, odor identity, gait patterns, vein patterns, handwriting and signature analysis, and typing recognition, have not yet been widely commercialized for authentication purposes.
- Location: The location factor requires users to authenticate with where they are and when. It considers a user’s geographic location and the time it took for them to get there. This form of authentication is commonly used in risk-based authentication software. Usually, these authentication methods do not require a user to actively authenticate this information, instead, this runs in the background when determining a specific user’s authentication risk. This type of authentication verifies a user’s geolocation, which points to where they currently are, and their geovelocity, which is the reasonable amount of time it takes for a person to travel to a given location. For example, if a user authenticates with an MFA software provider in Chicago and 10 minutes later attempts to authenticate from Moscow, there is a security issue.
- Behavior: This factor requires users to authenticate with something they do. It relates to specific gestures or touch patterns that users generate. For example, using a touchscreen, users can create a picture password where they draw circles, straight lines, or tap an image to create a unique gesture password.
Benefits of using two-factor authentication
The benefit of two-factor authentication is increased account security. Requiring an additional authentication step for verifying a user's digital identity helps ensure that only authorized users can log on and have access to specific user accounts. Additional verification helps companies prevent both insider threats, such as unauthorized employees and external threats, like hackers, from accessing restricted accounts. The benefits of two-factor authentication include:
- Improved account security: The main purpose of two-factor authentication is for increased account security.
- Simplified user login process: A secondary benefit of using two-factor authentication is a simplified login experience for end users. Some users may have poor password management practices. Allowing users to authenticate in ways that do not require a password can reduce password fatigue.
- Meet regulatory compliance requirements: many data protection laws globally require companies to adopt strong authentication measures. Adoption 2FA can assist companies in meeting these requirements.
Impacts of using two-factor authentication
Virtually all companies, especially technology companies, require some form of user authentication to access software, systems, or other secured resources. The most common form of authentication, a single factor, which is often only a username and password, has proven to be insecure. This has driven the need to require two factors of authentication prior to granting account access.
As companies seek to become even more secure, many are requiring more than two factors of authentication, to create a truly multi-factor authentication process.
Two-factor authentication best practices
In order to make two-factor authentication work, companies should follow these best practices:
- Ensure multiple authentication methods are offered to end users; authentication using two of the same type of factor (such as two passwords for two knowledge challenges) are not considered two-factor authentication
- Ensure that the authentication types are supported by the software the company uses
- Ensure that the use cases for online and offline authentications are considered
Two-factor authentication vs. multi-factor authentication (MFA)
Two-factor authentication is a form of MFA.
Merry Marwig, CIPP/US
Merry Marwig is a senior research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.
