Two-Factor Authentication (aka 2FA) is a specific type of Multi-Factor Authentication that requires the authenticating party to produce two separate identifying factors. that are indicative to its identity, instead of the previously standard single identifier, usually a password, required in many systems.
2FA improves security substantially since an attacker would need to gain possession of both identifiers, making it much more difficult.
2FA was standard in many public-facing and internal computer systems using SMS messages or emails as a means of sending the second factor, but these methods are now being replaced by more advanced MFA technology due to the increasing sophistication of attackers and better, friendlier Multi-Factor Authentication options.
Identifiers categories used to authenticate users usually include:
A 2FA flow would usually look like this:
Many other combinations of identifiers can be used, including a password plus SMS-code to a registered mobile device, a passphrase plus a biometric identifier from a fingerprint sensor, a physical token plus an answer to pre-determined authentication questions, etc.
2FA is an authentication scheme that requires the access-requesting party (typically a user, but can also be software or a machine) to produce two identifiers – two factors – in order to be authenticated. In the typical case where a user is authenticated using 2FA, the authenticating service requests the first factor of authentication, which is usually a password. It then requests a second factor which is oftentimes a one-time password (OTP) code that requires the user to be in possession of the OTP generator device. The second factor of authentication can also be a biometric signature, an SMS code that is send to a registered mobile device, knowledge-based authentication questions, and more.