What Is Two-Factor Authentication and Why It’s Crucial

Cyber attacks, phishing scams, and malware are out to steal your passwords. Thankfully, there are ways of making it difficult for them.

Nikolina Cveticanin
Updated:

Dec 23,2022

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Passwords alone are not a strong barrier against cybercriminals determined to breach your online accounts for their financial gain. That’s why using a strong password is just the first step in improving your security. Moreover, adding extra layers can make it virtually impossible to compromise your password. So, what is two-factor authentication, and how does it prevent bad actors from accessing your data? 

What Is 2FA and Why Passwords Just Aren’t Enough

Two-factor authentication (2FA) is an additional security layer that some online platforms use to improve the security of their accounts. It requires two distinct forms of confirming the user’s identity to allow access. 

2FA can be used to enhance the security of online accounts, smart devices, and even office spaces. Such a system requires the user to provide their password in combination with another identification method. This second method is a code sent to your email or by SMS, or a temporary code generated via an application specifically for your account. It can also be a security token or biometrics such as a facial scan or fingerprint. 

Two-factor authentication is a significant improvement over relying solely on passwords. The key advantage is that even if someone has compromised it, your account is still inaccessible if the additional layer of authentication isn’t provided. This security measure is an excellent defense against particularly devastating phishing attacks.

Two-Step Authentication - How It Started

Widespread data breaches in the mid-2000s and early 2010s pushed the adoption of multi-factor authentication (MFA), even though some early forms of the security measure had been present before. As far back as the 1980s, US security company RSA designed a key fob that rotated six characters used as a secondary authentication factor, and it served as inspiration for apps such as Google Authenticator. 

For many gamers like me, who played World of Warcraft, the Blizzard Authenticator was the first time I saw two-way authentication used to protect an online account. Released in 2008, the physical device served the same function as modern authenticator apps do nowadays. Support for the device is not available since 2019, but many have used it for more than a decade.

Blizzard Authenticator

Blizzard Authenticator

The widespread adoption of 2FA was spearheaded by Google in response to China-based attacks on the Gmail accounts of human rights advocates in January 2010. This prompted the release of the Google Authenticator app, and the company began offering optional 2FA for all its users in February 2011.

Nowadays, there are many examples of two-factor authentication showing how useful it is in preventing security breaches, especially considering that most people use the same weak password for multiple accounts

Authentication Methods - How Does 2FA Work 

It’s highly likely that you have already had the opportunity to use two-factor authentication for some of your online accounts. Chances are you had to enable it for a service you are using, or the platform itself highly recommended it. 

Factors that are most commonly used for dual authentication are as follows: 

  • A possession factor, which is based on a unique item that a user has. For instance, this can be a mobile device, a security token, or an application that is used to approve the authentication request.  

  • A biometric factor is also called an inherence factor since it’s derived from users’ unique physical characteristics. The software maps facial features, fingerprints, voice, or some other unique feature to confirm your identity.

  • A time factor is simple as it only permits access in a certain period during the day.

  • A location factor directly depends on where you created your account, or you can limit which devices have access. Limitations can be imposed based on your IP address or GPS position. 

  • The knowledge factor represents something that the user knows, such as the answer to a security question, PIN (personal identification number), or “shared secret” that’s used as proof of authentication. 

Types of Two-Factor Authentication

Each of the discussed authentication methods has its distinct advantages and limitations. For instance, the possession factor’s downside would be losing access to the device or item used in the authentication process. On the other hand, applying biometric factors is expensive, still susceptible to data breaches, and holds a risk of false positives. Even though no method is 100% perfect, each can ensure that a data breach or phishing attack fails in compromising your account. 

Time-Based One-Time Password 

Time-based one-time passwords are the most widespread form of user authentication. As a matter of fact, you are likely already using Google, Microsoft, or Lastpass Authenticator. You’ve had it generate a six-digit code for an account based on the key you provided upon adding a new entry to the app. This 2-factor authentication method is also known as software token or app-based authentication. 

The algorithm for time-based one-time passwords is derived from the secret key and system time. Cryptography is used to hash a six-figure number both on the device and on the server, which are then checked to confirm there is a match. 

SMS and Email 2FA 

The ways SMS and email are used for two-factor authentication are similar. In both instances, a one-time password is generated and delivered. The password lasts for a limited time but much longer than the six-digit number from 2FA apps.

Unfortunately, SMS 2FA is vulnerable to man-in-the-middle (MITM) attacks, a commonly used attack vector. Due to the vulnerability that the SS7 protocol used for such communication has, it’s not the most reliable user authentication system. 

Keep in mind, though, that receiving a 2FA code through email is better than not having it at all. However, such authentication could be an issue if the email used for it is compromised. Bad actors only need to break into your email account and can use it to gain unauthorized access to other linked online profiles and platforms. 

Push-Based 2FA 

Using push-based 2FA is similar to time-based one-time password apps. You still have to download an application, but instead of it producing an authentication code, it sends a notification that will prompt you to approve access. As most mobile devices require you to set up a password or biometric locks, other people won’t be able to access your push notifications, even if they have access to your phone. 

Another security benefit of receiving these notifications is seeing if your password has been compromised. In case it is, you will receive a notification that you need to approve the login. If you aren’t the one trying to gain access to the account, it’s easy to block the request and change your compromised password. 

WebAuthn

The latest example of two-factor authentication is WebAuthn, promoted by W3C (World Wide Web Consortium) and created in cooperation with the Fast IDentity Online (FIDO) Alliance. WebAuthn or Web Authentication API allows a web service to add reliable and strong authentication to apps by using built-in support in browsers and allowing users to choose from external authenticators or inbuilt biometric readers on the device itself. 

How To Set Up 2FA?

Setting up 2FA security is not the same across online platforms or services you intend to enable it on. However, it has some common steps you can expect to encounter:

  1. Log in to the account you want to enable 2FA on. 
  2. The server processes the login request and grants you access. 
  3. Within your profile’s security settings, you should have the option to enable 2FA.
  4. If the website uses an authenticator app, it will generate a security code that you need to add to the application. 
  5. The app then processes the key and sends you a one-time password. 
  6. The security key should be backed somewhere safe to be used again if you decide to change your mobile device, so you can add the 2FA profile again. 
  7. Most platforms will require you to confirm that your 2FA is working by entering the second authentication factor for confirmation prior to enabling it. 
  8. After completing the procedure, you’ll have 2FA enabled on your account. 

Is 2FA Really Secure?

Dual-factor authentication is a substantial improvement in users’ online security. The fact also remains that each security system is as strong as its weakest component. Without two-factor authentication, compromising a password is the only step malicious parties have to take before they can access your sensitive data. 

We’ve already mentioned some of the flaws different two-factor authentication types have and their potential points of failure. Any service that implements it needs to account for situations when their user loses access to their 2FA method, such as a smartphone with your authenticator app malfunctioning, losing access to your email, or similar unplanned circumstances. 

Bad actors have utilized account recovery methods successfully to take over accounts. Tht’s why having a comprehensive set of security questions which only the original user can answer will alleviate most of these issues. Even so, remember that it’s not perfect.

Consequently, multi-factor authentication (MFA) is something that organizations should consider if their operation necessitates high levels of security.  

Multi-Factor Authentication

As the name implies, MFA has more layers of authentication than 2FA. While having a security token for 2FA is enough, MFA employs several methods to verify your identity, such as location, biometrics, key fob, or any combination thereof.

Unfortunately, this level of cybersecurity is necessary with rising levels of cyber attacks that are sometimes even state-run operations. Government organizations, financial services, and even health care institutions must implement such measures for their employees.

Final Thoughts

Having a system in place that double-checks if you are the actual user trying to access your account eliminates the basic risks and will save you a lot of headaches in the long run. By now, you’ve realized what two-factor authentication means and that passwords such as 123456, qwerty, and password1 won't keep anyone away from your account. As such, reliance on passwords and usernames is something companies no longer consider sufficient for meeting basic security standards. 

Password managers, MFA, and similar tools are ways of dealing with an imperfect system. Nevertheless, keeping a password database is considered outdated in some cybersecurity circles. That’s why many companies are turning to authentication. 

All things considered, until a better solution presents itself and universally changes how internet security works, you should get used to the idea of two-factor authentication. It’s simple to use and easily accessible for anyone with a smartphone. So, do yourself a favor by improving your online security without delay.

Further Reading

FAQ
What is 2-factor authentication, and how does it work?

2FA can protect your online accounts from unauthorized access by using another factor of identification alongside the password. This factor can be anything from biometrics, hardware tokens, software applications, location restrictions, and more. 

After entering your password, you’ll be prompted to provide the second authentication factor. Depending on the service you are trying to secure, you’ll likely have the option to choose from email, SMS, or app authentication. Out of these three methods, the application is the safest method that involves generating a six-digit number that changes based on the time and your original secret key. 

Biometric authentication is popular but limited to devices that can check and scan your fingerprint, facial characteristics, or voice.

What is an example of 2-factor authentication?

A common example of two-factor authentication is receiving an email with a one-time authentication code you need to enter after your password. Apps such as Google Authenticator or Authy are 2FA examples that use time-based one-time passwords.

What happens when you enable two-factor authentication?

When you enable 2FA, you are adding another factor that needs to be verified by the server in order to allow access to your user account. In case one of the provided credentials isn’t correct, access to the account is denied. This extra layer of security is great if your password is stolen since the hacker won’t be able to circumvent it. 

Should I always use 2-factor authentication?

Yes, you should. Even if you are using a strong password, there is no way to ensure that information from the service you’re using won’t be compromised, along with your password and username. Consequently, having multiple authentication factors as a security measure is the best thing you can do for your online privacy and safety. 

There are no comments yet
Leave your comment

Your email address will not be published.*