Two-Factor Authentication is an extra layer of security that requires more than just the user’s name and password. To gain access, the user must present something via a different method such as a token, fingerprint, web cookie, or code from a text message or authentication application like Google Authenticator. Two-Factor Authentication is known as 2FA for short, or even Two-Step Verification (TFA). For comparison, Single-Factor Authentication (SFA) only requires your username and password, and it is still the most common form of access because of its low cost and ease of use, but a hacker can breach most password-based security systems easily.
2FA’s extra security step makes it harder for a hacker to gain access to your account because they need to “hack” two methods, the first being your username and password, and the second being the token or your phone. Creating a “physical barrier” in security makes it much harder for hackers to gain access to your accounts and steal your personal data or identity. It is not hard for a hacker to purchase your login credentials to your email on the Dark Web (and it isn’t that expensive), but gaining access to your account with 2FA in place is more difficult because the hacker also needs to intercept the verification codes sent to your phone. Some websites send a new verification code every time a user tries to access the account and others send codes only when the user attempts to make a change, such as the username, password, or email associated with the account. (Google Authenticator codes reset every 30 seconds.)
However, this extra step in security does impede the user experience slightly and can cause delays if using a physical token because of the elapsed time the token is in transit. You’ve probably already experienced this delay and didn’t know or mind it because popular websites like Facebook, Twitter, Apple, Google, Microsoft, and Amazon all use Two-Factor Authentication to verify the user’s identity when setting up the account and later to prove the right user is accessing the account. When you’re asked to enter your zip code into a credit card terminal, Two-Factor Authentication is being used because it requires access to the physical credit card and knowledge of your address to approve the purchase.
Two-Factor Authentication also combats phishing attacks where a hacker will email you a faux message that looks very similar to an email you’d expect, such as from your bank, friend, boss, or web service like Dropbox or Netflix. Even though the email looks similar, the links in the email go to a malicious website where the hacker wants you to enter your username and password. With 2FA, the hacker still can’t make changes to your account or extract sensitive data without having that second level of access via the token, fingerprint, or text message.
Different Categories of Authentication
This second layer of security usually comes in three variations:
- Knowledge-based – Information the user knows (mother’s maiden name, street grew up on, name of childhood pet), a password, or PIN
- Possession-based – Something the user has such as a security token, ID card, RFID card, key fob, or smartphone
- Biometrics-based – A user’s fingerprint, iris scanning, facial recognition, or vocal scanning
Security professionals can add additional security by limiting the user’s location and time allotted to access the system. For example, your bank may not allow you to transfer money at 2am or when out of the country without additional verification. Because you can add multiple layers of security to users to verify access, the term Two-Factor Authentication is limiting, and it should be called Multifactor Authentication (MFA).
When given the option as a user, always choose to use multiple layers of security such as Two-Factor Authentication because it will better protect your identity and data. You can find a list of companies that offer 2FA at https://twofactorauth.org/.