Two Factor Auth (2FA)

Overview

After many high-profile and widespread major data breaches – which have compromised millions of people – many people have come to understand more about password security and the fact that a simple password can’t keep their online profiles safe. That has led to the rise in the popularity of two-factor authentication, an additional layer of security that can keep online accounts secure.

Factors of Authentication

An authentication factor is a category of security credential used to verify a user's identity and authorization before allowing that user to gain access to their account, send communications, or request data from a secured network, system, or application.

There are three common factors of authentication: something you are, something you know, and something you have. Let's break them down further:

• Something you are. This type of 2FA includes biometric methods like fingerprint, retinal or facial scans, handwriting analysis, or voice recognition. Most modern smartphones use face recognition, laptops often use fingerprint readers and you might even be asked to enter a handprint if you buy a season pass to an amusement park. Although this type of 2FA provides the strongest authentication of any two-factor authentication method, it's not perfect. Anyone who's ever had a device with the capacity to scan faces or fingerprints has experienced the frustration of trying and failing to get their iPhone to accept their face or fingerprint knows that.

• Something you know. This might be the most common factor used in two-factor authentication. Generally, this will be a password or personal identification number (PIN). Unfortunately, these authentication factors are also the ones most vulnerable to security attacks. Many people use the same passwords on account after account, and if there's a breach on even one account, that means every account is compromised.

• Something you have. This type of factor is typically controlled through a device that is known to be in the possession of a rightful user (usually a smartphone). First, a user registers for an account with an email address and password, recording their phone number then. The user then logs into their account with that email address and password, at which point a one-time password is sent to the user's mobile phone number. Once the user enters that into their device, they gain access to their account and the system.

What Is Two-Factor Authentication?

Two-factor authentication (2FA) is a security process whereby users must provide two different authentication factors to verify their identity and access their account. This process ensures better protection of both a user's personal information, credentials, and other assets, while also improving the security around the resources the user can access.

Certainly, two-factor authentication provides a higher level of security than authentication methods that rely on only one authentication factor (single-factor authentication), where the user provides only one factor (usually a password or PIN). A 2FA method would require a user to provide not just a password or a PIN, but a second factor, ranging from a biometric factor (a facial, retinal, or fingerprint scan) to a possession factor (a one-time use code sent to a smartphone known to be in a user's possession).

That extra layer of security means that even if an attacker knows a user's password, they won't be allowed access to their online account or mobile device. In fact, two-factor authentication has long been used to control who can access sensitive data and systems, and security professionals urge enabling two-factor authentication on all your online accounts, computers, and mobile devices.

Two-factor authentication is a key component of cybersecurity and the work done by Cybersecurity Analysts.

What Does 2FA Mean?

Two-factor authentication (2FA) refers to a security method used to help protect accounts and systems from unauthorized access by requiring would-be users to provide some kind of extra verification of their identity.

Two-factor authentication can be used to strengthen the security of a phone, an online account, or even a door. It works by demanding two types of information from the user — the first factor is usually a password or personal identification number (PIN), while the second factor could be a fingerprint or a one-time code sent to your phone.

While two-factor authentication does improve security, it is not completely foolproof.

Two-Step Verification vs. Two-Factor Authentication

Although we often use two-factor authentication and two-step verification interchangeably and do seem to overlap considerably, they aren't quite the same.

Apple differentiates between two-step verification and 2FA by pointing to two-step verification as an older and inferior security method, where a user must enter both a password and a one-time code that has been sent to their iPhone or other trusted device.

Although that's a form of it, two-factor authentication also includes the authentication methods used on a modern iPhone – which are equipped with facial scan technology – and Macbooks, which can be accessed after a fingerprint scan.

What Is a Two-Factor Authentication Code?

A two-factor authentication code is a one-time code generated to prove a user's identity when they try to access an online account or system. The code would be sent via text message or by an automated phone call to a phone number associated with the user. Upon entering the two-factor authentication code, the user gains access to their online account.

These codes often expire after a short amount of time if not used.

Benefits of Two-Factor Authentication

The benefits of two-factor authentication are that it adds a much-needed extra layer of security against attacks and can boost the security for systems, companies, and regular people.

2FA delivers an extra layer of protection for users because a username and password are simply no longer enough. For one thing, identify theft is rising at an ominous rate. The 2018 Identity Fraud Study by Javelin Strategy & Research concluded the number of identity fraud victims increased by eight percent in 2017 alone, to 16.7 million U.S. consumers. The combined value of the fraud reached $16.8 million. Introducing non-password-dependent two-factor authentication greatly enhances security and reduces the risk of identity theft.

Further, the many data breaches we've seen the past few years has created a situation where millions of people unwittingly have their personal information (including their username and password) available for anyone to see. Further, many people use the same password across multiple sites, so a hacker could try using the same login info on a variety of different sites until finding one that works. Verizon's 2017 Data Breach Investigations Report found that 81 percent of account breaches could be put down to passwords that were either leaked in this way or passwords that were too weak and possible to guess.

Still, not enough people have adopted 2FA. Google, for instance, recently revealed that less than 10 percent of Gmail users make use of the available 2FA security measures to protect their accounts.

For companies, the benefits of adopting 2FA are obvious – no one can afford to overlook cybersecurity these days. Two-factor authentication can also help reduce IT costs. Password reset is one of the most common reasons people call helpdesks – a study by industry association HDI concluded that more than a third of help desk tickets involve password resets.

Please see our Cybersecurity Analyst career guide to read more about the benefits of cybersecurity and why it's important for organizations.

Can Two-Factor Authentication Be Hacked?

Although it is possible for two-factor authentication to be hacked, the odds are very low and 2FA is certainly the best practice when it comes to keeping accounts and systems secure. One way two-factor authentication could be hacked happens through the SMS method – or, in other words, the method by which a one-time use code is sent to a user's phone number via SMS or an automated phone call.

There have been stories of hackers tricking mobile phone carriers into transferring someone else's phone number to their own phone. The hackers contact the carriers pretending to be their victims, requesting a new SIM with the victim's number. They then have access to any authentication code sent to that phone number. Called SIM swapping, this is probably the most common way of getting around 2FA.

But carriers' own security processes are improving and even acknowledging those risks, 2FA remains a strong and essential tool in the fight against cyber-attacks and identity fraud.

Types of 2FA

There are several main types of 2FA in common use and it's worth knowing the differences and respective pros and cons of the different methods.

How Does 2FA Work?

Two-factor authentication works by adding another layer of security to online accounts and systems. 2FA works by demanding that any user attempting to log in pairs their first authentication factor — a password or personal identification number — with a second factor, which is typically something you know, something you have, or something you are. With 2FA, users will need to supply both of these factors to get access to their accounts or a system.

When implemented correctly, 2FA should make it impossible for hackers to access your account using only stolen passwords and login information. Although it isn't entirely impenetrable because hackers have developed some workarounds, 2FA certainly offers significantly more security than simply requiring a username or email address and password.

Examples of Two-Factor Authentication

If it's confusing to define the factors in 2FA as something you have, something you are, or something you know, it might help to look at some real-world examples of two-factor authentication.

"Something you are" typically gets us into the realm of biometrics, where computers use an element of your physical person (your fingerprint, face, voice, or retina, for instance) to prove your identity. If you've bought a phone in the last few years, chances are you can access it quickly after it scans your face or thumbprint – something that would have seemed like science fiction a couple of decades ago. There are legitimate doubts about biometrics – databases of physical data could be cracked just like any other list of passwords – but the user-friendly nature of biometric 2FA means it's here to stay.

Next, we can look at "something you have." One of the originators of this type of security factor was the RSA SecurID, a small device with a little screen displaying random numbers that changed periodically. Released in 1993, the device requires the user to have both a password and a number from their SecurID token at any given moment to log in. There are other gadgets that carry out this type of 2FA, including smartcards or a physical security key that connect to computers via USB or Bluetooth. Google uses them internally.

But most people don't have a specialized gadget like that, so there's another example of "something you have" when it comes to 2FA: your phone. Whenever you try to log in to your website and a special code is sent to your phone, that's 2FA in action. There are also apps that scan QR codes to prove your identity.

Finally, "something you know" might refer to a secondary password or a knowledge-based security question, like asking your mother's maiden name or the name of your childhood pet. Some would argue this is not true 2FA since any hacker who has your login information could just as easily have the answers to typical security questions.

Common Types of 2FA

With two-factor authentication gaining more and more widespread recognition as an absolute security must both for individuals and companies, it's worth looking at the most common types of 2FA:

SMS Text-Message and Voice-based 2FA

With SMS text-message and voice-based two-factor authentication, users provide phone numbers at the point of registration and whenever they need to log in to their account, a single-use code is generated and sent to the phone number they signed up with (either via a text message or an automated phone call).

Anyone who's spent any time on the Internet knows this is a very popular option because it's user-friendly and no special hardware is needed. While any form of 2FA is better than nothing, security experts are increasingly warning against this form of 2FA. The level of security simply isn't as high as with other forms of 2FA, because there are a variety of workarounds that hackers can use to compromise your account security.

For instance, attackers could get users to install a malicious app on their phone that can then read and forward SMS messages. Another exploit involves hacking the cellular service to redirect SMS messages by employing a variety of technical methods, or through social engineering.

Other downsides? Some people are uneasy about giving out their phone number to a website, app, or platform. And it's easy to understand their apprehension since many companies have misused this information with things like targeted advertising and conversion tracking. And allowing password resets based on a phone number provided for 2FA can be a serious password security problem, because attackers using phone number takeovers could gain access to your account even if they don't have your password.

SMS 2FA also won't work if your phone is dead or can't reach a mobile network. This can be a big problem for people traveling abroad.

Push Notification for 2FA

Anyone who is deep into the Apple ecosystem would be familiar with this type of two-factor authentication thanks to Apple's Trusted Devices method. This method sends a prompt to a user's various devices whenever a login attempt is made in that user's name. The prompt includes the estimated location of the login based on the IP address. With systems like this Trusted Devices method, the user then gets to decide whether to approve or deny the login attempt.

But for the Trusted Devices and other push notification systems (Duo Push is another example) to work, your device needs a data or Internet connection.

This method is slightly more convenient than having to deal with QR codes. Further, because these alerts usually show the estimated location of the login attempt – and since very few phishing attacks originate from the same IP address as the victim – this method may help you spot a phishing attack in progress.

Software tokens for 2FA / Authenticator App / TOTP 2FA

This form of 2FA requires that a user first download and install a two-factor authentication app on their phone or desktop. With any site that's compatible with the authenticator app, users can then first enter a username and password before going to the authentication app to find a software-generated, time-based one-time passcode (also called TOTP or software token) that they need to complete their login attempt.

Google Authenticator, Microsoft Authenticator, Duo Mobile from Duo Security, and FreeOTP are a few popular applications for this. The underlying tech for this style of 2FA is called Time-Based One Time Password (TOTP).

If a site offers this style of 2FA, it will reveal a QR code containing the secret key. You can scan that QR code into your application. The code can be scanned multiple times and you can save it to a safe place or print it out. Once the QR code is scanned, your application will produce a new six-digit code every 30 seconds, and you'll need one of those codes along with your user name and password to log in.

The benefit of this style of two-factor authentication is that you don't need to be connected to a mobile network. If a hacker redirects your phone number to their own phone, they still won't have your QR codes. But the downside is that if you log in frequently on different devices, it can be inconvenient to unlock your phone, open an app, and type in the code each time.

Hardware Tokens for 2FA

Perhaps the oldest form of 2FA, hardware tokens produce a new numeric code at regular intervals. When a user wants to access an account, they just need to check the device – they tend to be small, like a key fob – and enter the displayed 2FA code on the site or app. Other versions of this 2FA tech can automatically transfer a two-factor authentication code when you plug the security key into a USB port.

Typically, hardware two-factor authentication is more often used by businesses, but it can be implemented on personal computers as well. Big tech and financial companies are creating a standard known as U2F, and it's now possible to use a physical U2F hardware token to secure your Dropbox, Google, and GitHub accounts. This is just a small USB key you put on your keychain. When you want to log into your account from a new computer, you insert the USB key and press a button on it. It's as easy as that – no codes required. Someday, these devices should work with NFC and Bluetooth for communicating with mobile devices without USB ports.

The benefits of this method are that it's secure and doesn't require an Internet connection. The downside? It's expensive to set up and maintain, and the devices could go missing.

Biometric 2FA

Over the past two decades, biometric two-factor authentication has gone from something that still seemed like a science fiction dream to being so ubiquitous you probably haven't noticed how many of your devices you can access just by being you.

In biometric verification, the user becomes the token. A user's face, fingerprint, retina, or voice can become the 2FA token needed to prove their identity and gain access to their account.

Examples are everywhere. The newest iPhone is equipped with facial scanning technology and most other modern phones use that or fingerprint scans to allow users convenient and quick access. Many modern laptops similarly just need to see your fingerprint, and there are many other devices that can prove your identity by scanning your physical features or voice.

This is considered the most secure 2FA method and it's theoretically the most user-friendly since all it should require is being yourself. That said, these technologies are still improving and systems still sometimes struggle to confirm what should be a match.

The other drawbacks are that there can be privacy concerns around the storage of a user's biometric data. And special devices like scanners and cameras are needed for this method.

Other Forms of 2FA

Another common method is 2FA via email. The way that works is that an automated message is sent to a user's registered email address when there's a login attempt. Similar to an SMS or phone call, that email will either include a code or simply a link that when clicked will verify that it's a legitimate login attempt.

Just like 2FA via phone or SMS, this is easy to implement and intuitive for users and works on both computers and phones. But unlike the SMS and phone 2FA options, the user will need to be connected to the Internet to receive their code or activate their unique link.

Unfortunately, this is the least secure form of 2FA and is fading in popularity as a result. Password security is too widespread a problem for this to be effective; despite years of warning, many people use identical passwords across many accounts and devices, and it's possible or even likely that their login information for the account they're trying to access and their email address is identical.

There are other problems. There's a good chance the email could end up in a junk or spam folder, and if hackers have the correct password for someone's online account, there's a good chance they might have their email password as well.

How to Get 2FA

Your account security is vital, so most sites, apps, and devices now offer some form of two-factor authentication, although how to get 2FA varies depending on the platform, device, or website in question.

Apple can take you through the process of turning on two-factor authentication for all of its devices, though the feature can be found under Password & Security in the settings of an iPhone or System Preferences on a Mac. Google, Facebook, Amazon, Twitter, Reddit, and many other popular sites offer guides on how to set up two-factor authentication on your account.

How to Enable 2FA

To enable 2FA, you could either go into the system preferences or settings of all your devices and online accounts and turn on two-factor authentication where possible, or you could download and install an authenticator app.

Getting an authenticator app (also known as an authentication app) is one way to be proactive about taking charge of your online security. Once linked to your accounts, the authenticator app displays a constantly changing set of codes to utilize whenever needed, even without an Internet connection. The leader in the authentication app sphere is Google Authenticator, while other options include Twilio Authy, Duo Mobile from Duo Security, and LastPass Authenticator. Most password managers also offer two-factor authentication by default.

You should know that setting up 2FA can sometimes break access within some older services, forcing you to rely on app passwords. Used by companies including Facebook, Microsoft, and Yahoo, app passwords are generated on the main site to use with a specific app.

Remember this as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing two-factor authentication will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid serious theft, be it of your identity, data, or money.

The Future of Two-Factor Authentication

Although 2FA absolutely boosts security overall, the future of two-factor authentication must be based around creating even more secure systems that are free of the weak spots that still exist now.

When 2FA Has Failed

We don't have to look far for examples of 2FA being compromised. Twitter CEO Jack Dorsey had his account hacked in August 2019, and the rude messages posted to his account were not a good advertisement for their 2FA security system. A month later, there were reports that 23 million YouTube influencers were hacked despite employing 2FA because the hackers used a reverse proxy toolkit to intercept two-factor authentication codes sent using SMS. The cryptocurrency exchange Binance had their 2FA system compromised and lost tens of millions.

One of the easiest and most common methods of hacking a 2FA system is to perform a sim-swap. In this scenario, a hacker could employ any number of methods to change victims' phone numbers so that any subsequent messages or phone calls – for instance, one with a 2FA code – would be redirected to the new phone. That's one reason experts are increasingly urging a move away from SMS and phone call-based 2FA systems.

Some two-factor authentication systems have also been known to be compromised by malware. Even an authenticator app as widely used as Google Authenticator isn't perfect – in February 2020, a type of Android-based malware was found to have stolen 2FA codes. TrickBot malware is another workaround to two-factor authentication, intercepting the one-time codes used by banking apps, sent by SMS and push notifications.

Another way 2FA security is currently vulnerable? In social engineering scenarios, a hacker could contact a target posing as, for instance, their bank, before asking to confirm the victim's identity by quoting the secure code that was just sent to them.

Biometric Methods Will Only Improve

For those reasons and more, many security experts believe the future of 2FA lies in the expansion of biometric security.

In a very short period of time, biometric security has changed from futuristic fantasy to become a ubiquitous part of our lives. Examples of biometric 2FA are literally all around you. You're using biometric two-factor authentication any time your bank verifies your ID through your voice, your phone logs you in as soon as it scans your face, and you can sign onto your laptop with the press of a fingertip.

In the future, biometric 2FA will have to get even better, more sensitive, and seamless. Biometric two-factor authentication systems have proven to be less-than-infallible. As just one example, there have been instances of facial recognition technology being fooled by 3D renderings of Facebook photos.

But since biometric 2FA is ubiquitous, it's also true that everyone who has used it has at some point dealt with false negatives, and possibly even false positives. False positives occur when a match is made where there isn't one, happening most often with facial recognition. False negatives occur when a match isn't made despite being true. This is especially vexing with fingerprint scanners, where the slightest dampness on a finger can wreak havoc. And many people, for various reasons, simply don't have easily read fingerprints.

Gradually, smart devices will get more and more sophisticated and biometric authentication will get smoother and faster. Cameras will get more and more high resolution, and infrared technology is somewhere on the horizon too. Eventually, expect to see more of a focus on iris scanning, considered one of the most secure forms of identity authentication.

Multi-Factor Authentication and Databases

If two-factor authentication seemed like an inconvenience to you, it might not be welcome news that the future is likely to include an increasing focus on multi-factor authentication. Combining three (or more) levels of authentication with some form of biometrics would provide a robust level of security that simple 2FA couldn't. Organizations, where systems contain sensitive information, are likely already employing multi-factor authentication, and more will adopt it soon.

How those organizations store that information is another area that's likely to evolve over time. Many security experts believe that any device-based authentication method is ultimately insufficient. Instead, they recommend that organizations should consider securely storing and authenticating identities in a centralized database. That might not be possible yet for many companies, but the rise of biometric authentication has shown just how quickly these technologies can evolve and become a huge part of our everyday lives.