What is Two-Factor Authentication (2FA)

two factor authentication - secret double octopus

Two-Factor Authentication (aka 2FA) is a specific type of Multi-Factor Authentication that requires the authenticating party to produce two separate identifying factors. that are indicative to its identity, instead of the previously standard single identifier, usually a password, required in many systems.
2FA improves security substantially since an attacker would need to gain possession of both identifiers, making it much more difficult.
2FA was standard in many public-facing and internal computer systems using SMS messages or emails as a means of sending the second factor, but these methods are now being replaced by more advanced MFA technology due to the increasing sophistication of attackers and better, friendlier Multi-Factor Authentication options.

Identifiers categories used to authenticate users usually include:

  • Something the user knows (i.e. a password, PIN or pattern)
  • Something the user has (i.e. a physical OTP (one-time-password) token or security USB key
  • Something the is inherent to the user (typically a biometric signature)
    Note: in some cases, location and network indicators are also used as additional authentication factors.

A 2FA flow would usually look like this:

  1. Access is requested via a standard login interface
  2. A username and a password are submitted
  3. If the username and passwords are accepted, the authentication mechanism will ask for the predetermined 2nd factor, e.g. an OTP code.
  4. The user will enter the one-time code and gain access.

Many other combinations of identifiers can be used, including a password plus SMS-code to a registered mobile device, a passphrase plus a biometric identifier from a fingerprint sensor, a physical token plus an answer to pre-determined authentication questions, etc.

Frequently Asked Questions
How Does 2 Factor Authentication Work?

2FA is an authentication scheme that requires the access-requesting party (typically a user, but can also be software or a machine) to produce two identifiers – two factors – in order to be authenticated. In the typical case where a user is authenticated using 2FA, the authenticating service requests the first factor of authentication, which is usually a password. It then requests a second factor which is oftentimes a one-time password (OTP) code that requires the user to be in possession of the OTP generator device. The second factor of authentication can also be a biometric signature, an SMS code that is send to a registered mobile device, knowledge-based authentication questions, and more.