What is Two-factor Authentication or 2FA?

Two-factor authentication (2FA) is a security process that increases the likelihood that a person is who they say they are. The process requests users to provide two different authentication factors before they are able to access an application or system, rather than simply their username and password.

2FA is a vital security tool for organizations to protect their data and users in the face of a cybersecurity landscape laden with a higher volume of increasingly sophisticated cyberattacks. Businesses of all sizes have to keep pace with attackers' sophistication and continuously evolve their defenses to keep malicious actors out of their networks and systems.

To answer what is 2FA, a good starting point is remembering that it is a process that moves organizations away from relying on passwords alone to gain entry into applications and websites. 2FA does exactly what it says: provide a two-step authentication process that adds another layer of security to businesses’ defenses. 

This makes it more difficult for cybercriminals to steal users’ identities or access their devices and accounts. It also helps organizations keep attackers out of their systems, even when a user’s password has been stolen. The process is increasingly being used to prevent common cyber threats, such as phishing attacks, which enable attackers to spoof identities after stealing their targets' passwords.

What are the Authentication Factors?

There are several types of authentication factors that can be used to confirm a person’s identity. The most common include:

  1. A knowledge factor: This is information that the user knows, which could include a password, personal identification number (PIN), or passcode.
  2. A possession factor: This is something that the user has or owns, which could be their driver’s license, identification card, mobile device, or an authenticator app on their smartphone.
  3. An inherence factor: This is a personal attribute or something that the user is, which is typically some form of biometric factor. These include fingerprint readers, facial and voice recognition, as well as behavioral biometrics like keystroke dynamics and speech pattern trackers.
  4. A location factor: This is usually guided by the location in which a user attempts to authenticate their identity. Organizations can limit authentication attempts to certain devices in specific locations, depending on how and where employees log in to their systems. 
  5. A time factor: This factor restricts authentication requests to specific times when users are allowed to log in to a service. All access attempts outside of this time will be blocked or restricted. 

 

How Does Two-factor Authentication Work?

The two-factor authentication process begins when a user attempts to log in to an application, service, or system until they are granted access to use it. The authentication process looks like this:

  • Step 1: The user opens the application or website of the service or system they want to access. They are then asked to log in using their credentials. 
  • Step 2: The user enters their login credentials, which will typically be their username and password. The application or website confirms the details and recognizes that the correct initial authentication details have been entered. 
  • Step 3: If the application or website does not use password login credentials, then it will generate a security key for the user. The key will be processed by the authentication tool, and the server will validate the initial request.
  • Step 4: The user is then prompted to submit a second authentication factor. This will usually be the possession factor, which is something that only they should have. For example, the application or website will send a unique code to the user’s mobile device.
  • Step 5: The user enters the code into the application or website, and if the code is approved, they will be authenticated and given access to the system.

 

Some Common Types of 2FA

There are several types of 2FA that can be used to further confirm that a user is who they claim to be. Some of the simpler examples include answering security questions and providing one-time codes. Others use various types of tokens and smartphone applications. Common 2FA types include the following:

Hardware Tokens for 2FA

Hardware tokens are one of the original types of 2FA formats. They are typically small key-fob devices that generate a unique numerical code every 30 seconds. When a user submits their first authentication request, they can head over to the key fob and issue the code it is displaying. Other forms of hardware tokens include universal serial bus (USB) devices that, when inserted into a computer, automatically transfer an authentication code.

An example of this is YubiKey, which is short for ubiquitous key, a security key that enables users to add a second factor of authentication to services like Amazon, Google, Microsoft, and Salesforce. The USB device is used when users log in to a service that supports one-time passwords (OTPs), such as GitHub, Gmail, or WordPress. The user plugs the YubiKey into their USB port, enters their password, clicks the YubiKey field, and touches a button on the device. It generates a 44-character OTP and automatically enters it on the user’s device to verify them with a possession 2FA factor.

Hardware token devices are generally expensive for organizations to distribute. Furthermore, they are easily lost by users and can themselves be cracked by hackers, making them an insecure authentication option.

 

Text Message and SMS 2FA

Short message service (SMS) and text message 2FA factors are generated when a user attempts to log in to an application or service. An SMS message will be sent to their mobile device containing a unique code that the user then enters into the application or service. This 2FA factor type has been used by banks and financial services to verify purchases or changes that customers made to their online banking accounts. However, they are generally moving away from this option, given the ease with which text messages can be intercepted.

Similar to the SMS factor is voice call 2FA. When a user enters their login credentials, they will receive a call to their mobile device that tells them the 2FA code they need to enter. This factor is used less frequently but is deployed by organizations in countries that have low smartphone usage levels.

 

Push Notifications for 2FA

A more commonly used passwordless two-step authentication format is push notifications. Rather than receiving a code on their mobile device via SMS or voice, which can be hacked, users can instead be sent a push notification to a secure app on the device registered to the authentication system. The notification informs the user of the action that has been requested and alerts them that an authentication attempt has taken place. Then, they simply approve or deny the access request. 

This authentication format creates a connection between the app or service the user is attempting to access, the 2FA service provider, the user themselves, and their device. It is user-friendly and reduces the possibility of security risks like phishing, man-in-the-middle (MITM) attacks, social engineering, and unauthorized access attempts.

This authentication format is more secure than SMS or voice calls but still carries risks. For example, it is easy for a user to accidentally confirm an authentication request that has been fraudulently requested by quickly tapping the approve button when the push notification appears.

 

2FA for Mobile Devices

Smartphones offer a variety of possibilities for 2FA, enabling companies to use what works best for them. Some devices are capable of recognizing fingerprints. A built-in camera can be used for facial recognition or iris scanning, and the microphone can be used for voice recognition. Smartphones equipped with a Global Positioning System (GPS) can verify location as an additional factor. Voice or SMS may also be used as a channel for out-of-band authentication.

A trusted phone number can be used to receive verification codes by text message or automated phone call. A user has to verify at least one trusted phone number to enroll in 2FA. Apple iOS, Google Android, and Windows 10 all have applications that support 2FA, enabling the phone itself to serve as the physical device to satisfy the possession factor. 

Ann Arbor, Michigan-based Duo Security, which was purchased by Cisco in 2018 for $2.35 billion, is a 2FA platform vendor whose product enables customers to use their trusted devices for 2FA. Duo's platform first establishes that a user is trusted before verifying that the mobile device can also be trusted for authenticating the user.

Authenticator applications replace the need to obtain a verification code via text, voice call, or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password—a knowledge factor. Users are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device—an ownership factor.

 

Multi-factor Authentication vs. Two-factor Authentication (MFA vs. 2FA)

2FA is a subset of the wider concept of multi-factor authentication (MFA). MFA requires users to verify multiple authentication factors before they are granted access to a service. It is a core piece of any identity and access management (IAM) solution that reduces the chances of a data breach or cyberattack by providing increased certainty that a user is who they claim to be.

The main difference between 2FA and MFA is that 2FA only requires one additional form of authentication factor. MFA, on the other hand, can include the use of as many authentication factors as the application requires before it is satisfied that the user is who they claim to be.

This is because an attacker can crack an authentication factor, such as an employee’s identification card or password. As a result, businesses must add further authentication factors that make the hacker’s task more difficult. For example, highly secure environments often demand higher MFA processes that involve a combination of physical and knowledge factors along with biometric authentication. They will often also consider factors like geolocation, the device being used, the time at which the service is being accessed, and ongoing behavior verification.

The key with any authentication process is finding a happy medium between a system that end-users find easy to use and provides the level of security a business requires to protect their data and systems. Employees do not want to be held back by an authentication solution that is slow and unreliable and will inevitably look to circumnavigate cumbersome processes that hinder them from getting the job done. 

Is 2FA Secure?

Requiring multiple factors of authentication before a user is granted access to an application or website is inherently more secure than relying on username and password combinations alone. Therefore, 2FA is more secure than solely requiring users to enter single-password protection. By the same logic, MFA can also be considered more secure than 2FA, as it enables organizations to ask users to submit more authentication factors.

However, there are flaws in the security levels of 2FA. For example, using hardware tokens can leave an organization vulnerable in case the device manufacturer suffers a security lapse. This was the case when security firm RSA suffered a data breach as a result of its SecurID authentication tokens being hacked back in 2011.

Other authentication factors also have their flaws. SMS 2FA is cheap and easy for employees to use but vulnerable to cyberattacks. The use of SMS for 2FA has been discouraged by the National Institute of Standards and Technology (NIST), saying it is vulnerable to various portability attacks and malware issues.

Despite these, most cyberattacks come from remote locations, which makes 2FA a relatively useful tool in protecting businesses. It typically prevents attackers from gaining access to an application or system with stolen user credentials and passwords. It is also unlikely that an attacker would be able to access a user’s second item of authentication, particularly when it comes to biometric factors.

 

Two-factor Authentication and Identity Access Management Solution from Fortinet

Enterprises increasingly manage identity environments comprising multiple systems across cloud applications, directory services, networking devices, and servers. These quickly grow into a hugely challenging administrative task that ends up delivering poor user experiences, confusing application developers, and giving administrators a logistical nightmare. As a result, businesses leave themselves susceptible to data breaches through code vulnerabilities, inappropriate user access levels, and poorly managed software updates. 

The Fortinet identity and access management solution provides organizations with the service they need to securely confirm and manage the identities of the users and devices on their networks. The robust solution enables businesses to take control of user identity and ensures users only have access to the systems and resources they need access to.

The Fortinet IAM solution is comprised of three core components:

1.         FortiAuthenticator: This prevents unauthorized access requests to corporate resources. It provides a centralized authentication process to the Fortinet Security Fabric, such as certificate management, guest access management, and single sign-on (SSO).

2.         FortiToken: This provides additional confirmation of user identities by providing a second factor of authentication. It does this through mobile applications and physical tokens.

3.         FortiToken Cloud: This provides MFA as-a-service and comes with an intuitive dashboard that enables organizations to manage their MFA solution.

These three components combined address the IAM challenges that organizations face with managing larger workforces requesting access to their systems from an increasing number of devices.

FAQs

What does 2FA stand for?

2FA stands for two-factor authentication, which is a security process that enables organizations to increase the security of their applications, systems, and websites.

What does two-factor authentication mean?

Two-factor authentication means that a user has to submit two authentication factors that prove they are who they say they are. It is used when a user logs in to an application or system, adding an extra layer of security to simply logging in with their username and password, which can easily be hacked or stolen.

Can two-factor authentication be hacked?

Two-factor authentication processes can be hacked. 2FA tools like hardware tokens can become compromised, and SMS messages can be intercepted by malicious actors. However, 2FA is a more secure login process than relying on passwords alone.

What is multi-factor authentication?

Multi-factor authentication is a security process that enables the use of multiple factors of authentication to confirm a user is who they say they are. MFA means the use of more than one authentication factor to enable a user to access their account.