Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a security procedure in which users submit two distinct authentication factors in order to be verified.
2FA is used to safeguard both a user’s credentials and the resources that the user has access to. Two-factor authentication provides a higher degree of security than single-factor authentication (SFA), which requires the user to submit only one factor, generally a password or passcode. Two-factor authentication techniques rely on the user giving a password as the first factor and a second, distinct element – often a security token or a biometric factor, such as a fingerprint or face scan.
Two-factor authentication provides an extra layer of protection to the authentication process by making it more difficult for attackers to obtain access to a person’s devices or online accounts because a password alone is not enough to pass the authentication check, even if the victim’s password is compromised.
How does 2FA work?
- The program or website prompts the user to log in.
- The user inputs what they know, which is often their login and password. The server then discovers a match and recognizes the user.
- The user is then prompted to begin the second login stage. Although this stage can take several forms, the user must demonstrate that they have something that only they have, such as biometrics, a security token, an ID card, a smartphone or other mobile device. This is the factor of inherence or possession.
- The user may then be required to input a one-time code produced during step four.
- The user is authenticated and provided access to the application or website after supplying both factors.
What are the authentication factors for 2FA?
- A knowledge factor is anything that the user is aware of, such as a password, personal identification number (PIN), or other sort of shared secret.
- To authorize authentication requests, a possession factor is something the user possesses, such as an ID card, a security token, a telephone, a mobile device, or a smartphone app.
- A biometric factor, also known as an inherence factor, is anything that is inherent in the physical self of the user. Personal traits mapped from physical features, such as fingerprints confirmed by a fingerprint reader, may be included. Facial and voice recognition, as well as behavioural biometrics such as keyboard dynamics, gait, or speech patterns, are other often employed inherence variables.
- The location from which an authentication attempt is conducted is typically used to identify a location factor. This can be enforced by limiting authentication attempts to specific devices in a specific location or by tracking the geographic source of an authentication attempt based on the source Internet Protocol address or some other geolocation information derived from the user’s mobile phone or other device, such as Global Positioning System (GPS) data.
- A time factor limits user authentication to a defined time frame for logging on and prevents access to the system outside of that window.
Is 2FA Secure?
While two-factor authentication improves security, 2FA methods are only as strong as their weakest link. Hardware tokens, for example, rely on the issuer’s or manufacturer’s security. In 2011, security firm RSA Security disclosed that their SecurID authentication tokens had been stolen, making it one of the most high-profile incidents of a compromised two-factor system. When used to circumvent two-factor authentication, the account recovery procedure itself may be subverted because it often resets a user’s current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. Cloudflare’s top executive’s corporate Gmail accounts were compromised in this manner.
Although SMS-based 2FA is affordable, simple to set up, and deemed user-friendly, it is vulnerable to a variety of attacks. In its Special Publication 800-63-3: Digital Identity Guidelines, the National Institute of Standards and Technology (NIST) discourages the use of SMS in 2FA services. NIST stated that SMS-based OTPs are too vulnerable to mobile phone number portability attacks, mobile phone network attacks, and malware that may be used to intercept or reroute text messages.
Three-factor authentication, which often entails the possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints, may be of use in environments requiring enhanced security. Geolocation, device type, and time of day are also utilized to assist determine if a user should be authenticated or restricted. Furthermore, behavioural biometric indicators like a user’s keystroke length, typing speed, and mouse movements may be discreetly tracked in real time to enable continuous authentication rather than a single one-time authentication check during login. While using passwords as the primary means of authentication is ubiquitous, it frequently does not provide the security or user experience that businesses and their users require. Even if historical security products such as a password manager and MFA attempt to address username and password issues, they rely on an essentially obsolete architecture: the password database.