What is 2FA (two-factor authentication)?

Most people are familiar with SMS text-based 2FA security systems. In this version, an app sends a numeric code to the user's mobile phone at login. The user must enter both their password and the code to proceed. Entering only one or the other is not sufficient for authentication.

2FA is the most common form of multifactor authentication (MFA), which refers to any authentication method where users must supply more than one authentication factor to prove their identity. 

While 2FA is often associated with computer systems, it can also guard physical assets and locations. For example, a restricted building might require people to present an ID badge and pass a fingerprint scan to enter.

According to IBM's Cost of a Data Breach Report, compromised credentials cause 10% of data breaches. Passwords are relatively easy for threat actors to steal through phishing, spyware or brute-force attacks.

Two-factor authentication helps strengthen account security by requiring a second factor. Not only do hackers need to steal two credentials to break into a system, but the second factor is often something difficult to hack. Common second factors include fingerprints and biometrics, physical security keys and expiring passcodes.

Authentication factors are the credentials that users supply to verify their identities. Two-factor authentication systems use multiple types of authentication factors, and true 2FA systems use two factors of two different types. 

Using two different types of factors is considered more secure than using two factors of the same type because hackers need to use different methods to crack each factor.

For example, hackers can steal a user's password by planting spyware on their computer. Yet that spyware wouldn't pick up one-time passcodes on the user's smartphone. The hackers would need to find another way to intercept those messages. 
 
Types of authentication factors include:

• Knowledge factors
• Possession factors
• Inherent factors 
• Behavioral factors

A knowledge factor is a piece of information that, theoretically, only the user would know. A password is the most common knowledge factor. Personal identification numbers (PINs) and answers to security questions are also typical.

In most 2FA implementations, a knowledge factor serves as the first authentication factor. 

Despite their widespread use, knowledge factors are the most vulnerable type of authentication factor. Hackers can obtain passwords through phishing attacks, malware or brute-force attacks in which they use bots to generate and test potential passwords on an account until one works.

Nor do other types of knowledge factors present a great challenge to cybercriminals. Answers to many security questions—such as the classic "What is your mother's maiden name?"—can be cracked easily through basic research or social engineering attacks that trick users into divulging personal information.

The common practice of requiring a password and a security question is not true 2FA because it uses two factors of the same type—in this case, two knowledge factors.

Two knowledge factors would be an example of a two-step verification process. The process has two steps—entering a password and answering a question—but uses only one kind of factor.

Two-step verification can be more secure than a password alone because it requires two pieces of evidence. However, because these are two factors of the same type, they're easier to steal than two different types of factors.

Possession factors are things that a person owns. The two most common types of possession factors are software tokens and hardware tokens.

Software tokens often take the form of one-time passwords (OTPs). OTPs are usually 4–8 digit, single-use passcodes that expire after a set amount of time. Software tokens can be sent to a user's phone by text message, email or voice message. Tokens can also be generated by an authenticator app installed on the device.

With a software token, the user's device acts as the possession factor. The 2FA system assumes that only the legitimate user has access to any information delivered to or generated by that device. 

While SMS text-based OTPs are some of the most user-friendly possession factors, they are also the least secure. Users need an internet or cellular connection to receive these authentication codes, and hackers can use sophisticated phishing or man-in-the-middle attacks to steal them. 

OTPs are also vulnerable to SIM cloning, in which criminals create a functional duplicate of the victim's smartphone's SIM card and use it to intercept their text messages.

Authenticator apps—such as Google Authenticator, Authy, Microsoft Authenticator and Duo—can generate tokens without a network connection. A user pairs the authenticator app with a service, often by scanning a QR code. The app then continuously generates time-based one-time passwords (TOTPs) for the paired service. Each TOTP expires in 30–60 seconds, making it difficult to steal. 

Some authenticator apps use push notifications rather than TOTPs. When a user log in to an account, the app sends a push notification to their iOS or Android operating system, which they must tap to confirm the attempt is legitimate.

While authenticator apps are harder to crack than text messages, they're not foolproof. Hackers can use malware to steal TOTPs directly from authenticators. They can also launch MFA fatigue attacks, in which they flood a device with fraudulent push notifications in the hopes that the victim accidentally confirms one. 

Hardware tokens are dedicated devices—such as key fobs, ID cards or dongles—that function as security keys. Some hardware tokens plug into a computer's USB port and transmit authentication information to the login page. Other tokens generate verification codes for the user to enter manually when prompted.

While hardware tokens are difficult to hack, they can be stolen—as can users' mobile devices containing software tokens. According to IBM's Cost of a Data Breach Report, lost and stolen devices are a factor in as many as 9% of data breaches.

Also called “biometrics”, inherent factors are physical characteristics or traits unique to the user, such as fingerprints, facial features or retinal patterns. Many smartphones and laptops have built-in face and fingerprint readers, and many apps and websites can use this biometric data as an authentication factor.

While inherent factors are the most difficult to crack, the results can be disastrous when they are. If a hacker does gain access to a biometric database, they can steal that data or link their own biometrics to another user’s profile. When biometric data is compromised, it can’t be changed quickly or easily, making it difficult to stop attacks in progress.

Advances in artificial intelligence (AI) image generation have cybersecurity experts concerned that hackers might use these tools to trick facial recognition software. 

Behavioral factors are digital artifacts that verify a user's identity based on behavioral patterns. Examples include a user's typical IP address range, usual location and average typing speed.

Behavioral authentication systems use AI and machine learning (ML) to determine a baseline for a user’s normal patterns and flag anomalous activity, such as logging in from a new device, phone number or location.

Some two-factor authentication systems allow users to register trusted devices as factors. While the user might need to supply two factors at first login, use of the trusted device automatically acts as the second factor in the future.

Behavioral factors also play a role in adaptive authentication systems, which change authentication requirements based on risk level. For example, a user might need only a password to log in to an app from a trusted iPhone on the company network. That user might need to add a second factor to log in from a new device or an unknown network. 

While behavioral factors offer a sophisticated way to authenticate users, they require significant resources and expertise to deploy. Moreover, if a hacker gains access to a trusted device, they can easily impersonate the user.

Passwordless two-factor authentication systems accept only possession, inherent and behavioral factors—no knowledge factors. For example, asking a user for a fingerprint together with a physical token would constitute passwordless 2FA.

Passwordless authentication does away with knowledge factors because they are easy to compromise. While most current 2FA methods use passwords, industry experts anticipate an increasingly passwordless future. 

Passkeys, such as those based on the popular FIDO standard, are one of the most common passwordless forms of authentication. They use public key cryptography to verify a user’s identity.

According to the Cost of a Data Breach Report, compromised credentials and phishing are among the most common cyberattack vectors. Together, they account for about 26% of data breaches. Both vectors often work by stealing passwords, which hackers can then use to hijack legitimate accounts and devices to wreak havoc.

Hackers typically target passwords because they're comparatively easy to crack through brute force or deception. Furthermore, because people reuse passwords, hackers can often use a single stolen password to break into multiple accounts. The consequences of a stolen password can be significant for users and organizations, leading to identity theft, monetary theft, system sabotage and more.

Two-factor authentication helps thwart unauthorized access by adding an extra layer of security to identity and access management (IAM) systems. Even if hackers can steal a password, they still need a second factor to gain access to an account. 

Moreover, these second factors are usually harder to steal than a knowledge factor. Hackers would need to falsify biometrics, mimic behaviors or pilfer physical devices. 

Two-factor authentication methods can also help organizations meet certain compliance obligations. For example, the Payment Card Industry Data Security Standard (PCI DSS) explicitly requires MFA for systems that handle payment card data.

Other regulations, including the Sarbanes-Oxley (SOX) Act and the General Data Protection Regulation (GDPR), don't explicitly require 2FA. However, 2FA can help organizations meet the strict security standards these laws set.

While two-factor authentication is stronger than single-factor authentication methods—especially those that use only passwords—2FA is not foolproof. Specifically, hackers can abuse account recovery systems to sidestep 2FA and seize an account.

For example, a hacker can pretend to be a valid user who has lost access and needs to reset their account credentials. Account recovery systems often require some other means of authentication, such as the answer to a security question. If that question is as basic as “mother’s maiden name,” the hacker can discover the answer with a little research. The hacker can then reset the account password, locking out the real user.  

Hackers can also compromise one account by gaining access to another. For example, if an attacker wants to break into a sensitive corporate system, they might first take over a user’s email account. They can then request a password reset with the corporate system, which sends an email to the account the hacker now controls.

SMS-based 2FA, perhaps the most common form of 2FA, can be hacked through sophisticated social engineering. The attacker can pose as their target and call the target’s phone provider, claiming their phone was stolen and they must transfer their number to a new one. OTPs are then sent to the phone that the hacker controls instead of the target’s phone.  

Users can defend against these attacks by ensuring that all their accounts—from email accounts to accounts with phone providers—require strong 2FA or MFA. Setting MFA on everything makes it harder for hackers to use one account to compromise another.

Users can also make sure that the authentication factors they choose are hard to crack. Biometrics and physical security tokens, for example, are harder to steal than security question answers.