What is Two-Factor Authentication (2FA)?
- IAM Glossary
- What is Two-Factor Authentication (2FA)?
Two-Factor Authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. This method is an extra layer of security designed to ensure that someone trying to gain access to an online account is who they say they are. The first factor is typically a password or personal identification number (PIN), and the second can vary from physical objects (like a smart card or a security token), to something biometric (like a fingerprint or facial recognition), or a location signal.
Elements of two-factor authentication
Two-Factor Authentication (2FA) typically involves combining two different types of authentication methods from the following categories.
Knowledge factor - something you know
This could be a password, PIN or answer to a security question.
Possession factor - something you have
This could be a physical token, such as a smart card or USB security key, or a virtual token generated by an authenticator app on a user's smartphone. These virtual tokens are called One-Time Passwords (OTPs) or Time-Based One-Time Passwords (TOTPs).
Biometric factor - something you are
Biometric information, such as a fingerprint, facial recognition or iris scan.
Location factor - somewhere you are
Your geographic location. Some apps and services are only accessible to users located within a specific geographic location. This particular authentication factor is frequently used in zero-trust security environments.
Two-factor authentication (2FA) vs multi-factor authentication (MFA): What's the difference?
Two-factor authentication (2FA) is a security process that combines two different authentication factors. In contrast, multi-factor authentication (MFA) utilises two or more authentication factors, offering a higher level of security. Simply put, 2FA is a type of MFA, and MFA can demand more authentication steps than 2FA to further enhance security. For more details, please check out this article.
Two-factor authentication vs two-step verification: What's the difference?
Two-factor authentication (2FA) requires users to provide two distinct types of authentication credentials to verify their identity. These credentials derive from something the user knows (such as a password), something the user possesses (like a smartphone), or an intrinsic aspect of the user's biometrics (such as a fingerprint). Thus, 2FA necessitates the utilisation of two completely separate security layers, enhancing the security of the authentication process. Consequently, even if one credential becomes compromised, the second remains to safeguard the account.
Conversely, two-step verification (also referred to as two-step authentication) involves a procedure requiring users to complete two distinct phases to confirm their identity. Notably, these phases may not require different types of authentication credentials. For instance, the initial step might involve entering a password, followed by the use of a temporary code sent to the user's mobile phone in the subsequent step. The essential aspect of two-step verification is its demand for two separate actions, which need not involve varied authentication credential types.
| Feature | Two-factor authentication (2FA) | Two-step verification (2SV) |
|---|---|---|
| Definition | Requires two different types of authentication factors. | Requires two steps of verification, which could be from the same or different types of factors. |
| Authentication Factors | Uses two different factors: something you know (password), something you have (security token, phone), or something you are (biometric verification). | May use two instances of the same type of factor (e.g., password followed by a code sent via SMS) or different types. |
| Security Level | Generally considered more secure as it requires two distinct types of evidence from the user, making unauthorised access more difficult. | Provides additional security over a single password but can be less secure than 2FA if both steps use similar factors. |
Authentication methods for 2FA
There are various methods to implement Two-Factor Authentication (2FA), and each method is selected based on the user's needs and security requirements. Below are some common methods of 2FA.
1. SMS-based authentication
In SMS-based authentication, when a user attempts to log in, a temporary authentication code is sent from the server to the user's mobile phone. The user needs to enter this authentication code during the login process. The advantage of this method is that it can be easily implemented since most users have a mobile phone. However, there are security risks such as interception of SMS messages and SIM card swapping attacks, so this method is not recommended if other options are available.
2. Authentication apps
Using authentication apps (e.g., certain password managers, Google Authenticator, Authy) for 2FA is safer than SMS-based authentication. In this method, users generate a temporary authentication code using an authentication app on their smartphone. At the time of login, this code needs to be entered. The authentication code changes every few seconds, which increases security. Additionally, it does not require an internet connection, so it can be used in offline environments.
3. Physical security keys
Using physical security keys (e.g., YubiKey) allows users to authenticate by connecting a specific USB device or NFC device to their computer or smartphone. This method is considered very strong against phishing attacks. Since the security key is a physical possession, it effectively reduces the risk of unauthorised access, but the risk of losing the key also needs to be considered.
4. Biometric authentication
Biometric authentication uses the user's biometric information, such as fingerprints, facial recognition, or iris recognition, for authentication. This method is very convenient for users and provides high security. Biometric authentication is widely supported on mobile devices and some of the latest computers. However, since biometric information cannot be changed, the risk of information leakage must also be considered.
