What is Two-Factor Authentication (2FA)
Two-Factor Authentication (aka 2FA) is a specific type of Multi-Factor Authentication that requires the authenticating party to produce two separate identifying factors. that are indicative to its identity, instead of the previously standard single identifier, usually a password, required in many systems.
2FA improves security substantially since an attacker would need to gain possession of both identifiers, making it much more difficult.
2FA was standard in many public-facing and internal computer systems using SMS messages or emails as a means of sending the second factor, but these methods are now being replaced by more advanced MFA technology due to the increasing sophistication of attackers and better, friendlier Multi-Factor Authentication options.
Identifiers categories used to authenticate users usually include:
- Something the user knows (i.e. a password, PIN or pattern)
- Something the user has (i.e. a physical OTP (one-time-password) token or security USB key
- Something the is inherent to the user (typically a biometric signature)
Note: in some cases, location and network indicators are also used as additional authentication factors.
A 2FA flow would usually look like this:
- Access is requested via a standard login interface
- A username and a password are submitted
- If the username and passwords are accepted, the authentication mechanism will ask for the predetermined 2nd factor, e.g. an OTP code.
- The user will enter the one-time code and gain access.
Many other combinations of identifiers can be used, including a password plus SMS-code to a registered mobile device, a passphrase plus a biometric identifier from a fingerprint sensor, a physical token plus an answer to pre-determined authentication questions, etc.
2FA is an authentication scheme that requires the access-requesting party (typically a user, but can also be software or a machine) to produce two identifiers – two factors – in order to be authenticated. In the typical case where a user is authenticated using 2FA, the authenticating service requests the first factor of authentication, which is usually a password. It then requests a second factor which is oftentimes a one-time password (OTP) code that requires the user to be in possession of the OTP generator device. The second factor of authentication can also be a biometric signature, an SMS code that is send to a registered mobile device, knowledge-based authentication questions, and more.