Two-Factor Authentication (aka 2FA) is a specific type of Multi-Factor Authentication that requires the authenticating party to produce two separate identifying factors. that are indicative to its identity, instead of the previously standard single identifier, usually a password, required in many systems.
2FA improves security substantially since an attacker would need to gain possession of both identifiers, making it much more difficult.
2FA was standard in many public-facing and internal computer systems using SMS messages or emails as a means of sending the second factor, but these methods are now being replaced by more advanced MFA technology due to the increasing sophistication of attackers and better, friendlier Multi-Factor Authentication options.
Identifiers categories used to authenticate users usually include:
- Something the user knows (i.e. a password, PIN or pattern)
- Something the user has (i.e. a physical OTP (one-time-password) token or security USB key
- Something the is inherent to the user (typically a biometric signature)
Note: in some cases, location and network indicators are also used as additional authentication factors.
A 2FA flow would usually look like this:
- Access is requested via a standard login interface
- A username and a password are submitted
- If the username and passwords are accepted, the authentication mechanism will ask for the predetermined 2nd factor, e.g. an OTP code.
- The user will enter the one-time code and gain access.
Many other combinations of identifiers can be used, including a password plus SMS-code to a registered mobile device, a passphrase plus a biometric identifier from a fingerprint sensor, a physical token plus an answer to pre-determined authentication questions, etc.