Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) used to verify users’ identities and provide an additional layer of account security. Users must enter two factors before they are allowed access to their online accounts to ensure they are who they claim to be.
2FA offers a greater level of security than single-factor authentication (SFA), which only relies on one factor, such as a password or passcode. Account security is especially important in today’s threat landscape, where hackers use a variety of sophisticated methods to gain unauthorized access to users’ sensitive data.
How Does 2FA Work?
2FA works by verifying users with two factors or authentication. Similar to SFA methods, the user will enter their username and password into the login field. The system will then prompt the user to enter a second factor, from one of the following categories:
- Knowledge factor (Something you know): e.g., a one-time password (OTP), a personal identification number (PIN), an answer to a security question
- Possession factor (Something you have): e.g. a mobile device or another physical device, a fob, a hardware token, a security token
- Inherence factor (Something you are): e.g. biometrics, such as fingerprint, facial recognition, retina scan
The use of two authentication factors provides additional account security. If a cybercriminal compromises one factor, such as a password, they aren’t likely to have access to the second factor. Without this factor, they remain locked out of the account.
Why is 2FA Important?
With data breaches costing organizations millions each year, adopting stricter data security practices is crucial. Further, US organizations must adopt zero trust architecture (ZTA) as a mandatory requirement under Joe Biden's Cybersecurity Executive Order.
ZTA assumes that no users are to be trusted until they provide sufficient authentication or verification before accessing sensitive data. 2FA is a security mechanism commonly used in zero trust architecture as it helps prevent hackers from gaining unauthorized access to privileged information.
How Does 24A Protect Sensitive Data?
2FA methods can help protect against the following cyber threats that lead to data breaches:
Cybercriminals can use stolen passwords to gain instant access to a user’s account. These passwords are often readily available on the internet through accidental data leaks that hackers then exploit for malicious purposes.
This practice is so common that Apple has even released a security feature that detects compromised passwords so iOS users can proactively change them. 2FA provides even greater security by preventing cybercriminals from hacking an account, even before the password is changed.
Social Engineering Attacks
A common phishing attack technique is to impersonate a legitimate service/app, lure users in, and encourage them to enter their login credentials. Cybercriminals then use these details to log in to users’ real accounts and compromise valuable personal data, such as credit card or bank account details.
2FA can thwart this process as hackers will be prompted to enter an additional verification factor that they do not possess.
Brute-force attacks occur when a hacker makes successive random guessing attempts on a user’s password until they crack the right one. 2FA prevents the completion of this process by prompting additional verification that cannot be guessed.
Keyloggers are a type of malware that can record users’ keystrokes, including when they enter usernames and passwords. Hackers use these stolen credentials to hack accounts and steal sensitive data. 2FA informs users of login attempts and access cannot be granted without the second factor of authentication.
Man-in-the-middle (MITM) attacks occur when an attacker intercepts and interferes with communication between a user and a web server. For example, if a user is entering their login credentials on a website and the hacker can eavesdrop on this data exchange to gain unauthorized access.
Even if an attacker intercepts these communications, they will still need additional verification to successfully hack the account if 2FA is enabled.
Types of 2FA
Below are the most common types of two-factor authentication.
Services that use SMS verification codes will send a text message to a user’s phone number when they attempt to log in. The SMS contains a one-time password (OTP) verification code that is used as the second factor to gain access.
SMS verification is convenient to access, as most smartphone users carry their devices at all times, but it is not particularly secure. Hackers can easily compromise SIM cards by hacking, cloning, or swapping them to intercept text messages.
Authentication Code Generation Apps
Many service providers that use two-factor authentication rely on third-party code authenticator apps, such as Google Authenticator, to generate the second factor of verification. Authenticator apps use an open standard, making them compatible with any third-party service provider on both Apple and Android devices. Users can link authenticator apps with these services by scanning a QR code on their mobile phones.
Apps like Google Authenticator provide greater security than other authentication code generation methods as each code times out after about 30 seconds to prevent compromise. They also come with account recovery codes in the event the user loses their device, which must be written down for future reference.
Physical authentication keys are a relatively new authentication medium. Hardware tokens, such as YubiKey, can be inserted directly into a device to facilitate 2FA. Yubikey is a small USB drive that operates as a security key with OTP-supporting services.
When a user attempts to log in to such a service, they insert the YubiKey into their device's USB port, enter their account password, and use the YubiKey to generate an OTP, completing the two-step verification process.
Hardware tokens are considered a more secure option as they communicate directly with web browsers, allowing them to verify login pages and prevent phishing attempts. Users may otherwise enter authentication codes in impersonator sites unknowingly. If hackers use these intercepted codes within the allowed timeframe, they can easily gain access to users’ accounts.
Many mobile apps now offer two-factor authentication within the app itself via push notifications. For example, Google allows users to verify computer logins by confirming their login attempts through the mobile app. Microsoft also provides a similar feature. Apple allows iOS users to verify logins on one device to access another connected iOS device.
Email Authentication Codes
Some online apps and services email authentication codes to users. While still a more secure authentication method than SFA, email accounts are quite an easy attack vector for hackers. Authenticator apps provide better data security for verification codes.