What is Two-factor Authentication?
Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible factors of authentication are combined in order to grant access to a website or application.1) something the user knows, 2) something the user has, or 3) something the user is.
The possible factors of authentication are:
- Something the User Knows:
This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user must provide information that matches the answers previously provided to the organization by that user, such as “Name the town in which you were born.”
- Something the User Has:
This involves entering a one-time password generated by a hardware authenticator. Users carry around an authentication device that will generate a one-time password on command. Users then authenticate by providing this code to the organization. Today, many organizations offer software authenticators that can be installed on the user’s mobile device.
- Something the User Is:
This third authentication factor requires the user to authenticate using biometric data. This can include fingerprint scans, facial scans, behavioral biometrics, and more.
- In internet security, the most used factors of authentication are:
something the user has (e.g. a bank card) and something the user knows (e.g. a PIN code). This is two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication, Two-Step Verification or 2FA.
The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) is that as the term implies, Two-Factor Authentication utilizes a combination of two out of three possible authentication factors, while Multi-Factor Authentication could utilize two or more of these authentication factors.
Where Passwords Fall Short
Two-factor authentication has become a necessary and important part of account security, because due to growing and evolving cybercrime, passwords are no longer reliable. After a string of high-profile data breaches of the last ten years, many username and password combinations are already available for sale on the Dark Web. Organizations can no longer trust that simply knowing the right password is credible enough to allow a user access to an account.
In addition, there are human factors and trends that contribute to passwords becoming a vulnerable authentication strategy:
Security is often out of sight and out of mind for the average user. It gives the false impression that as an individual, they are unlikely to be the target of cybercrime. This leads to users selecting weak passwords, such as “love1234” or “11111”.
- Password Fatigue:
As mobile device ownership continues to grow and companies continue their digital transformation efforts, the number of online accounts each user will have to remember will also grow. This increase in the number of usernames and passwords leads to users repeating the same password across multiple accounts.
How Does Two-Factor Authentication Work?
When you sign into your account, you will be prompted to authenticate with your username and password. This becomes your first authentication factor.
For the second factor of authentication, you can use a:
- One-Time Passcode or One-Time Password (OTP) token
- Text message with verification code sent to your personal phone number on mobile device (e.g. iPhone, Samsung, Google Pixel)
- Specialized authenticator smartphone mobile app like Google Authenticator (iOS and Android) or a OneSpan mobile authenticator
- USB or key fob (e.g. something you have)
When combined with your username and password, the result is a stronger and more resilient extra layer of security. Taking this extra step with a hardware token or authenticator app not only presents a complex hurdle for attackers, but also reduces your risk of becoming a victim of phishing attacks, fraud, and identity theft.
Why Do I Need Two-Factor Authentication?
Because single authentication methods like passwords alone are simply not enough to stop today’s sophisticated attacks.
Two-factor authentication provides a secondary layer of security that makes it more difficult for hackers to access a person’s devices and online accounts to steal personal information. With two-factor authentication enabled, even if the hacker knows the victim’s password, the authentication will still fail and prevent unauthorized access.
Two-factor authentication also provides organizations with an additional level of access control to sensitive systems and online data and accounts, protecting that data from being compromised by hackers armed with stolen user passwords.
An obvious and common threat to consumers is the attacker opening new accounts in the victim's name and significantly damaging the credit rating. This can be devastating as a credit rating is used in determining the most significant lifestyle purchases, such as a car, mortgage and business loan.
In sum, two-factor authentication can help to reduce your risk of exposure if/when your password is stolen or your email account has been compromised.
Where Can I Use Two-Factor Authentication?
As a rule of thumb, users should turn on two-factor authentication anywhere and everywhere it is available. Below is a list of applications that will commonly support 2FA:
- Online banking
- Online shopping (Amazon, PayPal, Google Play)
- Email (Gmail, Microsoft, Yahoo, Outlook)
- Cloud storage accounts (Apple, Dropbox, Box)
- Accounts on social media networks (Facebook, Instagram, LinkedIn, Tumblr, Twitter, snapchat)
- Productivity apps (Evernote, Trello)
- Password managers (LastPass)
- Communication apps (MailChimp, Skype, Slack)
Two-Factor Authentication Vulnerabilities
Two-factor authentication, like all security solutions, can be circumvented by cybercriminals, but it is much more difficult to do so than with usernames and passwords. In order to bypass two-factor authentication, the attacker would need to either acquire the physical hard token authenticator or in the case of software authenticators, gain access to the tokens generated on the device by the authenticator. Attackers accomplish this through one of two ways. For each, we also include a security solution designed to help prevent these types of attacks:
- Social Engineering / Phishing:
One of the greatest vulnerabilities tof any security system are the humans involved in operating it. Social engineering and phishing are fraud schemes designed to exploit the human element. By posing as a reliable organization or individual in a phone call, email, or other communication, phishers attempt to trick the user into divulging confidential information that will allow the attacker to bypass the two-factor authentication challenges.
- Recommended Solution: Cronto
Malicious software can also extract the authentication token from a device through a variety of ways. For example, a keylogging malware can track the keystrokes inputted by the user and then relay the authentication token to the attacker remotely.
- Recommended Solution: Mobile Security Suite and/or Mobile App Shielding
How do I Get Started?
OneSpan’s two-factor authentication uses one-time password technology to secure user login and ensure only authenticated users gain access. OneSpan offers a complete range of authentication solutions, including: