Two-factor authentication (also known as 2FA or two-step verification) requires users to verify their identity by providing two different types of information before accessing an account or application. For example, this may be a pin code sent to your phone.
Generally considered more robust than traditional username and password combinations, two-factor authentication acts as an additional layer of security, and prevents unauthorized access to sensitive details and resources. But why is 2FA necessary, and how does it work? Keep reading to find out!
What is 2FA?
You'll often be required to verify your identity before you log in to an account or application, connect to a network, or access resources. Services with simple authentication may only require a password from you, but others might insist that you provide additional evidence before gaining access.
Two-factor authentication simply means that two pieces of evidence are necessary to verify your identity.
In this way, users can confirm that they are who they say they are when attempting to access an account, and anyone else – hacker or cybercriminals – won't be able to take a peek at sensitive information without the additional requisite evidence, as it's incredibly unlikely that they have it!
Even if you're unfamiliar with the inner workings of two-factor authentication, you've almost certainly used it before. An ATM, for example, requires two pieces of evidence before it allows you to make transactions – namely your bank card and PIN!
Types of two-factor authentication
So, now that we're familiar with what two-factor authentication (2FA) is, and the reason it comes in handy, let's take a look at how it's implemented.
Two-factor authentication requires the user to present two or more pieces of evidence before they're allowed to access a certain resource – like a website, application, or network. This evidence is also known as a factor, and they tend to fall into one of the following categories:
- Something the user knows – by far the most popular factor, it refers to a password, a PIN, or any other piece of knowledge that can be proved by the user. Security questions (like the classic "What is your mother's maiden name?") technically fall into this category, too, but are considered incredibly insecure, seeing as hackers could intuit these answers with social engineering techniques.
- Something the user has – think of a key and a lock, and you'll understand this factor in an instant! The user will need to keep this special item on their person at all times, and it could be a key, a bank card, or a USB. Whatever it is, it'll need to connect to the computer to access secure accounts. It's becoming increasingly more popular to use smartphones as that special something a user "has", now, given that we're glued to them!
- Something the user is – this factor might seem a little sci-fi, considering it deals with fingerprint scans as well as iris and facial recognition, but it actually only leverages the technology already available in most modern phones! Behavioral biometrics use the individual themselves as the factor.
There are all sorts of two-factor authentication methods in use today, and some are much stronger than others. However, regardless of its form, 2FA is bound to be more secure than relying on a password. We'll take a closer look at passwords a bit later, but for now let's examine some of the more prevalent types of 2FA.
Nowadays, if a service offers two-factor authentication, they probably offer it via SMS. SMS 2FA directly interacts with the individual's phone, and once they've input a username and password, texts them a unique one-time passcode. In order to access the application or account, the individual simply needs to enter that one-time passcode into the site!
These ever-changing passcodes provide better security than static passwords, and there's no need to worry about the whereabouts of an additional physical token like a key fob.
SMS 2FA does come with a few concerns, however. Phones are handy, given that we're always using them, but they can be compromised, and hackers can still employ phishing attacks to try and collect a user's one-time passcode, as well as their password.
Although this form of 2FA has become a little dated in recent years, it's still a popular method, and utilizes physical tokens and generated numeric codes to secure private accounts and networks. So, if a user wanted to access a secure computer, they'd need to look at their key fob and input the code it displayed into the computer.
Creating these little tokens is expensive work, however, and it's all too easy to misplace them – further driving up distribution costs.
Push notification 2FA eliminates the need for bulky tokens and takes advantage of the ubiquitous nature of phones, and sends the user a notification when there's an authentication attempt happening. Then, the user takes a look at the details, and verifies the attempt with a tap.
Because there are no passwords needed here, push notification 2FA puts a stop to phishing scams, and even man-in-the-middle attacks. It simply establishes a direct connection from the application to the 2FA service.
However, this method does require internet access, and necessitates a device that can install apps.
Are passwords secure?
Passwords are certainly still today's secure standard when it comes to keeping our accounts safe, but there's some doubt as to whether they should be. Countless breaches have compromised vast swathes of passwords (and even put them up for sale with their email counterparts on the dark web), and users do themselves a disservice by using weak phrases, or by reusing passwords across different sites and services. It's a hacker's dream, seeing as they can just input these known password and email combinations into websites and check out which ones work.
Secure passwords can be difficult to remember and this is why we recommend using passwords. Check out our best password manager page for a list of the best services and tips on keeping passwords safe and secure.
So, if you're relying on a password to protect your devices, the hurdle for hackers to overcome is pretty small. For this reason, more and more folks are taking advantage of two-factor authentication.