What Is Two Factor Authentication?
Two-factor authentication (2FA), a type of multi-factor authentication (MFA), is a security process that cross-verifies users with two different forms of identification, most commonly knowledge of an email address and proof of ownership of a mobile phone.
Used on top of the regular username/password verification, 2FA bolsters security by making it more difficult for intruders to gain unauthorized access, even if a perpetrator gets past the first authentication step (e.g., brute forces a username and password).
Today, 2FA is commonly employed in online banking websites, social media platforms and e-commerce sites as a way to harden access controls to the more sensitive areas of a web application (e.g., admin panels or areas that store credit details and/or personal data).
Two-factor authentication also enables businesses and public institutions to be more productive and efficient, allowing employees to perform remote tasks with far less security concerns.
Two Factor Authentication vs. Two Step Authentication
Before diving in, let’s take a quick moment to clear up some confusion between two-factor authentication and two-step authentication. They’re similar, but not quite the same — one’s a square, the other a rectangle.
Two-factor authentication is when you protect an account with two factors. A factor is either “something you know” (e.g. password), “something you have” (e.g. phone), or “something you are” (e.g. fingerprint). To truly be protected by two-factor authentication, your account must require two locks of different factors before granting access.
If an account is protected by two locks of the same factor, then it falls under two-step authentication (or two-phase authentication). For example, a password and a security question are both “something you know,” making authentication two-step but not two-factor. Though this can still provide adequate protection, two-factor authentication is preferable.
Just as a square is a rectangle but a rectangle isn’t a square, two-factor authentication is a type of two-step authentication but not the other way around.
Two Factor Authentication Methods
Two-factor authentication isn’t foolproof and there are risks to two-factor authentication. But even with these downsides, using two-factor authentication is miles better than going without it. Just because burglars can bust through a window doesn’t mean you’ll stop locking your doors, right? Of course not.
But here’s the thing: not all two-factor authentication methods are equal. Some are demonstrably safer and more secure. Here’s a look at the most common methods and which ones best meet your individual needs.
1. Security Questions
When creating an account, you choose one or more security questions and set answers for each one. When logging into that account, you have to provide the right answer to each question to validate that you have rightful access.
Pros: Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions. All you have to do is pick one and give the answer. You don’t need any other equipment, devices, etc. The answer is just stored in your head.
Cons: Many security question answers can be found in public records (e.g. your father’s middle name) or socially engineered (e.g. phishing emails or phone calls). To get around this, you can make your answer gibberish and effectively make it a second password. But you should be careful that you don’t lose it or forget it!
2. SMS Messages
When creating an account, you provide your mobile phone number. Whenever you want to log in, the service sends you an SMS message with a verification code that expires (usually after 15 minutes). You have to input that number to complete the logging in process.
Pros: SMS messages are extremely convenient. These days, pretty much everyone has an SMS-capable device and can receive SMS messages free of charge. Usually the messages arrive instantly, but even when they don’t it rarely takes more than a few minutes. If you ever lose your device, you can transfer your phone number. So you will never be permanently locked out.
Cons: You have to trust the service enough to share your phone number. Some disreputable services may use your number for advertising, or sell it off for monetary gain. And since phone numbers aren’t actually tied to devices, hackers can actually circumvent SMS-based authentication without ever touching your phone (though it isn’t easy).
3. Time-Based One-Time Passwords
When you create an account, you’re assigned a “secret key.” After installing a code-generating app (like Google Authenticator or its alternatives), you scan a QR code to load the secret key into the app. It then generates one-time passwords every so often (e.g. 30 seconds) using the secret key as a seed, and you need these one-time passwords to log in.
Pros: The codes are generated based on a mixture of the secret key and the current time, which means you can get valid codes on your device even when you have no reception and/or no mobile service. And since the secret key is stored on the device itself, it can’t get intercepted or redirected (such as through a phone number takeover).
Cons: You will be unable to log in if your device runs out of battery or dies altogether. Sometimes internal clocks can desync between device and service, which results in invalid codes. These are two reasons why printing backup codes is essential.
If a hacker somehow clones your secret key, then they can generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.
4. U2F Keys
Universal 2nd Factor (U2F) is an open standard that is used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug it in (for USB keys), bump it (for NFC devices), or swipe it (for smart cards).
Pros: A U2F key is a true physical factor. Unlike SMS codes, they can’t be intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they’re only registered to work with sites you’ve registered. It’s one of the most secure 2FA methods currently available.
Cons: Because U2F is a relatively new technology, it isn’t yet widely supported. For example, as of this writing, NFC keys only work with Android mobile devices whereas USB keys mainly work with the Chrome browser (Firefox is working on it). U2F keys also cost money, often between $10-$20 but could go higher depending on how rugged you want it to be.
5. Face, Voice, Fingerprint
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it is imperative that you really are who you say you are, often in areas that require security clearance (e.g. the government).
Pros: Biometrics are extremely difficult to hack. Even a fingerprint, which is arguably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but pretty close.
Cons: The biggest downside, and the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. Plus, how comfortable would you feel giving up your face, voice, or fingerprints? Would you trust them to be kept safe? Most wouldn’t.
6. Programmable Hardware Tokens Protectimus Slim NFC
The main purpose of this token’s creation was to obtain a more universal and safe replacement to OATH-compliant code generation applications, such as Google Authenticator, Authy, Protectimus Smart, etc.
- The main advantage of such two-factor authentication solution lies in the fact that the token can be flashed an unlimited number of times upon changing the secret key. Thus you may use it on the websites that offer only mobile authentication, change the secret key if necessary, as well as reassign it to another service if you wish.
- High level of security, since the contactless token is invulnerable to malicious code injections.
- There is no need to connect the token to any port. Hence no need to disconnect it when moving away from the workstation.
- Ability to change the secret key and reflashing the token takes only three minutes.
- More versatile and less expensive, in comparison with U2F keys option (up to 40% difference in price when characteristics are comparable).
- You can order custom branding even when ordering the single token.
- The built-in battery lasts about five years, after which the token needs to be replaced.
- Some restrictions on the size of passwords (only secret keys with a length of 16 to 32 characters in Base32 encoding are allowed). The built-in display for the challenge signature is six positioned (the standard supported by Google Authenticator). This makes such a token inapplicable to resources that employ secret keys shorter than 16 and longer than 32 characters, and eight-character one-time passwords, although such are rare.