Two-factor authentication
Two-factor authentication (2FA) is an authentication scheme designed to enhance account security. Instead of using a single authentication factor — such as a password — 2FA requires the user to provide two different types of authentication factors to gain access to their account.
2FA is a special case of multi-factor authentication (MFA). 2FA requires exactly two different types of factors, while MFA uses two or more types.
What are Authentication Factors?
Authentication factors are something that can be used to prove a person’s identity. Most 2FA systems use authentication factors from the following categories:
- Something You Know: Passwords, PIN numbers, security questions, and other knowledge-based factors require the user to provide a secret to authenticate themselves.
- Something You Have: An authentication system may send a one-time password (OTP) to a smartphone or require the user to have a smartphone or hardware token to authenticate to the system.
- Something You Are: Biometric authentication factors measure the unique features of a person. These could be physical features — such as fingerprints, faces, voices, or irises — or behavioral features — such as how someone walks.
While these are the most common types of factors, other types are possible as well. For example, some MFA systems may use “somewhere you are” or geolocation information as another authentication factor.
How Does 2FA Work?
A 2FA system uses two factors of different types to authenticate a user. For example, the security of a password-based authentication system may be augmented by requiring an OTP that is generated by an authenticator app or hardware token. Alternatively, the system could combine factual recognition (“something you are”) with a PIN (“something you know”).
With 2FA, it is important to ensure that the authentication factors are of different types. For example, combining a password with a security question or PIN isn’t 2FA because these are both knowledge-based factors. Also, having OTPs sent to an email account may not actually be 2FA if both the primary authentication factor and the email account use passwords.
Why Use 2FA?
2FA is increasingly popular due to concerns about the security of single-factor authentication systems. While passwords are secure in theory, many people choose passwords that are weak and easily guessable or that are used across multiple different accounts. This makes it easy for an attacker to access an account by guessing a password or trying passwords exposed in a breach on other online accounts.
2FA increased the security of online accounts by using multiple different types of factors. While a password may be guessable, it’s harder to steal a securely-generated OTP or defeat a facial recognition system. By requiring an attacker to steal multiple types of factors, 2FA increases the complexity of gaining access to a user’s account.
Conclusion
Two-factor authentication improves authentication security by requiring a user to provide two different types of authentication factors to gain access to their account. This helps to bolster the security of less-secure authentication systems — such as password-based authentication — because it is theoretically more difficult for an attacker to steal multiple factors of different types.