Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
2FA is implemented to better protect both a user’s credentials and the resources the user can access. It’s typically used as part of a broader effort to prevent data breaches and the potential loss of personal data.
Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication. With SFA, the user provides only one authenticating factor, typically a password or passcode. Two-factor authentication methods rely on a user providing a password as the first factor and a second factor that’s different from the initial factor, usually either a security token or a biometric factor such as a fingerprint or facial scan.
Two-factor authentication adds an extra layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts. Even if the victim’s password is hacked, a password alone isn’t enough to pass the authentication check.
This article is part of
Download this entire guide for FREE now!
Two-factor authentication has long been a cybersecurity strategy to manage account security by controlling access to sensitive systems and data. Online service providers are increasingly using 2FA to protect users’ credentials from being used by hackers who stole a password database or used phishing attacks to obtain user passwords.
There are several ways in which someone can be authenticated using more than one authentication method. Most authentication methods rely on knowledge factors, such as a traditional password. Two-factor authentication methods add either a possession factor or an inherence factor.
Authentication factors, listed in approximate order of adoption for computing, include the following:
Most two-factor authentication methods rely on knowledge, possession and biometric authentication factors. Systems requiring greater security use multifactor authentication (MFA), which relies on additional independent credentials for more secure authentication.
Enabling two-factor authentication varies depending on the specific application or vendor. However, two-factor authentication processes involve the same general, multistep process:
Two-factor authentication is a form of MFA. Technically, it’s in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn’t constitute 2FA. For example, requiring a password and a shared secret is still considered SFA as they both belong to the knowledge authentication factor type.
SFA that relies on usernames and passwords isn’t the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from insider threats, such as carelessly stored sticky notes with login credentials and carelessly discarded hard drives. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks as well as social engineering exploits.
Given enough time and resources, an attacker can usually breach password-based security systems and steal corporate data. Passwords have remained the most common form of SFA on laptops and other devices because of their low cost, ease of implementation and familiarity.
Multiple challenge-response authentication questions can provide more security depending on how they are implemented. Standalone biometric verification methods can also provide a more secure method of SFA.
Adaptive multifactor authentication introduces a gatekeeper element into the process. The authentication system has knowledge of specific characteristics or patterns associated with a specific user. The process of authenticating a user’s identify starts when a user interacts with the adaptive authenticator app. The app analyzes the user’s known characteristics and behavior – for example, how many prior access requests have been made or a time-based analysis of when the requests were made — to determine if a match can be made. Once a match is confirmed, the user proceeds to the next step in authentication or access process.
There are many different devices and services for implementing 2FA, from tokens to radio frequency identification cards to smartphone apps.
Two-factor authentication products make use of two basic features:
Authentication tokens can be physical devices, such as key fobs or smart cards, or software, such as mobile or desktop apps that generate PIN codes for authentication. These authentication codes are known as one-time passwords (OTPs). The authentication code is a short sequence linked to a particular device, user or account and can be used only once as part of an authentication process. Servers generate OTPs, and authentication devices or apps are used to recognize them as authentic.
Organizations need to deploy a system to accept, process, and allow or deny access to users authenticating with their tokens. These systems can be deployed in the form of server software or as a dedicated hardware server. Third-party vendors also provide authenticating services.
An important aspect of 2FA is ensuring the authenticated user is given access to all resources they’re approved for and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization’s authentication data.
Microsoft, for instance, supports 2FA in Windows 10 using Windows Hello, a non-password option for Microsoft accounts. It also authenticates users through Microsoft Active Directory, Azure AD and the Fast IDentity Online 2 authentication protocol.
Hardware tokens for 2FA are available supporting different approaches to authentication. One popular hardware token is the Yubico’s YubiKey, USB device that supports OTPs, public key encryption and authentication, and the Universal 2nd Factor protocol developed by the FIDO Alliance.
When users with a YubiKey log in to an online service that supports OTPs, such as Gmail, GitHub or WordPress, they insert their YubiKey into the USB port of their device, enter their password, click on the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.
The OTP is a 44-character, single-use password. The first 12 characters are a unique ID that represents the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key known only to the device and Yubico’s servers, established during the initial account registration.
The OTP is sent from the online service to Yubico for authentication. Once the OTP is validated, the Yubico authentication server sends back a message confirming that the token is valid for the user, and the 2FA process is complete. The user provided two factors of authentication: The password is the knowledge factor, and the YubiKey is the possession factor.
A trusted mobile device is one that a specific user controls and regularly uses for transactions requiring secure access. The authentication system knows the device and, with that knowledge, uses it to bypass steps in the authentication process. For instance, a trusted phone number can be used to receive verification codes by text message or automated phone call. A user must verify at least one trusted phone number to enroll in mobile 2FA.
Smartphones offer a variety of 2FA capabilities, enabling companies to use what works best for them. Some devices can recognize fingerprints, use the built-in camera for facial recognition or iris scanning, or use the microphone for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) can also be used as a channel for out-of-band authentication.
Apple iOS, Google Android and Windows 10 all have apps that support 2FA, enabling the phone to serve as the physical device to satisfy the possession factor. Platforms such as Cisco Duo, Okta Multifactor, RSA Security SecurID and Yubikey let customers use their trusted devices for 2FA. They establish that a user is trusted before verifying that the mobile device can also be trusted as an authentication factor.
Authenticator apps replace the need to obtain a verification code using text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password as their knowledge factor. They are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device, which is their possession factor.
The following are open standard authentication protocols that form the basis for different authentication tools that support 2FA:
A push notification is passwordless authentication that verifies a user by sending a notification directly to a secure app on the user’s device, alerting the user that an authentication attempt is happening. The user can view details of the authentication attempt and either approve or deny access, typically with a single tap. If the user approves the authentication request, the server receives that request and logs the user in to the web app.
Push notifications authenticate the user by confirming that the device — usually a mobile device — registered with the authentication system is in the user’s possession. If an attacker compromises the device, the push notifications are also compromised. Push notifications eliminate threats such as unauthorized access, social engineering and man-in-the-middle attacks.
While push notifications are more secure than other forms of authentication, there are security risks. For example, users can accidentally approve a fraudulent authentication request because they are used to tapping approve when they receive push notifications.
Two-factor authentication improves security, but these systems are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011 when security company RSA reported its SecurID authentication tokens had been hacked.
The account recovery process in these systems can also be subverted when it’s used to defeat two-factor authentication. Recovery processes often reset a user’s current password and emails a temporary password to enable the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.
Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it’s vulnerable to numerous attacks. The National Institute of Standards and Technology (NIST) has discouraged the use of SMS in 2FA services in its “Special Publication 800-63-3 (2023): Digital Identity Guidelines.” NIST concluded that OTPs sent via SMS text are too vulnerable due to mobile phone number portability attacks, attacks against the mobile phone network and malware that can be used to intercept or redirect text messages.
Environments that require higher security are starting to use three-factor authentication. It typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also used to determine whether a user should be authenticated or blocked.
Other authentication factors emerging include behavioral biometric identifiers, such as a user’s keystroke length, typing speed and mouse movements. These are discreetly monitored in real time to provide continuous authentication instead of a single one-off authentication check during login.
Relying on passwords as the main method of authentication is common. But it often no longer offers the security or user experience that companies and their users demand. Even though legacy security tools, such as a password manager and MFA, attempt to deal with the problems of usernames and passwords, they depend on an essentially outdated architecture: the password database.
Consequently, many organizations are turning to passwordless authentication. Methods such as biometrics and secure protocols let users securely authenticate themselves in applications without having to enter passwords. For businesses, this means employees can access their work without passwords while IT still maintains control across every login. In addition, blockchain use has brought attention to decentralized identifiers and self-sovereign identity as an alternatives to traditional authentication methods.
User authentication is key to securing networks. Learn about the different authentication types available, including 2FA, biometrics and certificates.
In addition to Pods, Cisco launched its first UCS server dedicated to running AI workloads on GPUs.
Many enterprises use on-premises network management, but some are transitioning to cloud-based management. Enterprises should …
DNS uses both TCP and UDP ports to maintain consistent and reliable network performance. TCP provides zone transfers, while UDP …
A breakdown of where U.S. presidential candidates Kamala Harris and Donald Trump stand on 16 tech issues.
Regardless, businesses will feel the effects of the economic proposals from the two leading U.S. presidential candidates.
Speakers at Gartner IT Symposium/Xpo 2024 warned of rising energy use and cost. Workarounds include acceleration; microgrids; and…
Organizations have growing security and management needs, so partnerships between vendors such as the Omnissa-CrowdStrike …
Managing Windows IoT devices starts with the proper enrollment, and administrators can take advantage of Microsoft Intune’s …
While wiping and reinstalling via a clean install is the simplest way to fix a broken Windows 11 desktop, an ISO file repair can …
After Google filed a complaint with the EU about Microsoft’s cloud practices, Microsoft accused Google of funding shadow …
Evaluate how these 10 characteristics of cloud computing, such as on-demand self-service and broad network access, can help you …
To grasp a technology, it’s best to start with the basics. Take this brief cloud computing quiz to gauge your knowledge of …
Wylie steps up from chief technology officer to replace her departing boss, Rich Corbridge, to take over one of the largest IT …
Survey from leading consulting firm shows signs of throttling back in terms of digital services, with three-quarters of UK …
During the earnings call for the company’s latest quarterly results, CFO Susan Li said Meta would be investing in GPU servers
All Rights Reserved, Copyright 2000 – 2024, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information