Published: 20 December 2023
Contributors: Matthew Kosinski, Amber Forrest
Two-factor authentication (2FA) is an identity verification method in which users must supply two pieces of evidence, such as a password and a one-time passcode, to prove their identity and gain access to an online account or other sensitive resources.
Most Internet users are likely familiar with SMS text-based 2FA systems. In this version, an app sends a numeric code to the user's mobile phone at login. The user must enter both their password and this code to proceed. Only entering one or the other is not enough.
2FA is the most common form of multi-factor authentication (MFA), which refers to any authentication method where users must supply at least two pieces of evidence.
2FA has been widely adopted because it helps strengthen account security. User passwords can be easily cracked or falsified. 2FA adds another level of security by requiring a second factor. Not only do hackers need to steal two credentials to break into a system, but the second factor is often something difficult to hack, like a fingerprint or time-limited passcode.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
When a user tries to access a resource protected by a 2FA security system—like a corporate network, for example—the system prompts the user to enter their first factor of authentication. Often, this first factor is a username/password combination.
If the first factor is valid, the system asks for a second one. There tends to be more variation in second factors, which can range from temporary codes to biometrics and more. The user can only access the resource if both factors check out.
While 2FA is usually associated with computer systems, it can also guard physical assets and locations. For example, a restricted building might require people to flash an ID badge and pass a fingerprint scan to enter.
There are multiple types of authentication factors that 2FA systems can use, and true 2FA systems use two factors of two different types. Using two different types of factors is considered more secure than using two factors of the same type because hackers need to use separate methods to crack each factor.
For example, hackers could steal a user's password by planting spyware on their computer. Yet that spyware wouldn't pick up one-time passcodes on the user's phone. The hackers would need to find another way to intercept those messages.
In most 2FA implementations, a knowledge factor serves as the first authentication factor. A knowledge factor is a bit of information that, theoretically, only the user would know. A password is the most common knowledge factor. Personal identification numbers (PINs) and answers to security questions are also typical.
Despite their widespread use, knowledge factors in general—and passwords in particular—are the most vulnerable type of authentication factor. Hackers can obtain passwords and other knowledge factors through phishing attacks, installing malware on users' devices or staging brute-force attacks in which they use bots to generate and test potential passwords on an account until one works.
Other types of knowledge factors don't present much more of a challenge. Answers to many security questions—like the classic "What is your mother's maiden name?"—can be cracked easily through basic research or social engineering attacks that trick users into divulging personal information.
It's worth noting that the common practice of requiring a password and a security question is not true 2FA because it uses two factors of the same type—in this case, two knowledge factors. Rather, this would be an example of a two-step verification process.
Two-step verification can be more secure than a password alone because it requires two factors. Still, because these are two factors of the same type, they're easier to steal than true 2FA factors.
Possession factors are things a person owns that they can use to authenticate themselves. The two most common types of possession factors are software tokens and hardware tokens.
Software tokens often take the form of one-time passwords (OTPs). OTPs are 4-8 digit, single-use passcodes that expire after a set amount of time. Software tokens can be sent to a user's phone via text message (or email or voice message) or generated by an authenticator app installed on the device.
In either case, the user's device essentially acts as the possession factor. The 2FA system assumes that only the legitimate user will have access to any information shared with or generated by that device.
While SMS-based OTPs are some of the most user-friendly possession factors, they are also the least secure. Users need an internet or cellular connection to receive these codes, and hackers can steal them through sophisticated phishing or man-in-the-middle attacks. OTPs are also vulnerable to SIM cloning, in which criminals create a functional duplicate of the victim's smartphone's SIM card and use it to intercept their text messages.
Authenticator apps can generate tokens without a network connection. The user pairs the app with their accounts, and the app uses an algorithm to continuously generate time-based one-time passwords (TOTPs). Each TOTP expires in 30-60 seconds, making it difficult to steal. Some authenticator apps use push notifications rather than TOTPs; when a user tries to log into an account, the app sends a push notification to their phone, which they must tap to confirm the attempt is legitimate.
The most common authenticator apps include Google Authenticator, Authy, Microsoft Authenticator, LastPass Authenticator and Duo. While these apps are harder to crack than text messages, they're not foolproof. Hackers can use specialized malware to steal TOTPs directly from authenticators1 or launch MFA fatigue attacks, in which they flood a device with fraudulent push notifications in the hopes that the victim will accidentally confirm one.
Hardware tokens are dedicated devices—key fobs, ID cards, dongles—that function as security keys. Some hardware tokens plug into a computer's USB port and transmit authentication information to the login page; others generate verification codes for the user to enter manually when prompted.
While hardware tokens are extremely difficult to hack, they can be stolen—as can users' mobile devices containing software tokens. In fact, lost and stolen devices are a factor in as many as 6 percent of data breaches, according to IBM's Cost of a Data Breach report.
Also called "biometrics," inherent factors are physical characteristics or traits unique to the user, like fingerprints, facial features and retinal patterns. Many smartphones and laptops produced today have built-in face and fingerprint readers, and many apps and websites can use this biometric data as an authentication factor.
While inherent factors are the most difficult to crack, it can be disastrous when they are. In 2019, a biometric database containing 1 million users' fingerprints was breached.2 Theoretically, hackers could steal these fingerprints or link their own fingerprints to another user's profile in the database.
When biometric data is compromised, it can't be changed quickly or easily, making it hard to stop attacks in progress.
Behavioral factors are digital artifacts that verify a user's identity based on behavior patterns. Examples include a user's typical IP address range, usual location and average typing speed.
Behavioral authentication systems use artificial intelligence to determine a baseline for users' normal patterns and flag anomalous activity like logging in from a new device, phone number or location. Some 2FA systems leverage behavioral factors by allowing users to register trusted devices as authentication factors. While the user may need to supply two factors at first login, use of the trusted device will automatically act as the second factor in the future.
Behavioral factors also play a role in adaptive authentication systems, which change authentication requirements based on risk level. For example, a user may only need a password to log into an app from a trusted device on the company network, but they may need to add a second factor to log in from a new device or an unknown network.
While behavioral factors offer a sophisticated way to authenticate end users, they require significant resources and expertise to deploy. Moreover, if a hacker gains access to a trusted device, they can impersonate the user.
Because knowledge factors are so easy to compromise, many organizations are exploring passwordless authentication systems that only accept possession, inherent and behavioral factors. For example, asking a user for a fingerprint and a physical token would constitute a passwordless 2FA configuration.
While most current 2FA methods use passwords, industry experts anticipate an increasingly passwordless future. Major technology providers like Google, Apple, IBM and Microsoft have begun rolling out passwordless authentication options.3
According to IBM's Cost of a Data Breach report, phishing and compromised credentials are among the most common cyberattack vectors. Together, they account for 31 percent of data breaches. Both vectors often work by stealing passwords, which hackers can then use to hijack legitimate accounts and devices to wreak havoc.
Hackers typically target passwords because they're pretty easy to crack through brute force or deception. Furthermore, because people reuse passwords, hackers can often use a single stolen password to break into multiple accounts. The consequences of a stolen password can be significant for users and organizations, leading to identity theft, monetary theft, system sabotage and more.
2FA helps thwart unauthorized access by adding an extra layer of security. Even if hackers can steal a password, they still need a second factor to get in. Moreover, these second factors are usually harder to steal than a knowledge factor; hackers would have to falsify biometrics, mimic behaviors or pilfer physical devices.
Organizations can also use two-factor authentication methods to meet compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI-DSS) explicitly requires MFA for systems that handle payment card data.4 Other regulations like the Sarbanes-Oxley (SOX) Act and the General Data Protection Regulation (GDPR) don't explicitly require 2FA. However, 2FA can help organizations meet the strict security standards these laws set.
In some instances, organizations have been compelled to adopt multi-factor authentication in the wake of data breaches. For example, in 2023, the Federal Trade Commission ordered the online alcohol seller Drizly to implement MFA following a breach that affected 2.5 million customers.5
Add deep context, intelligence and security to decisions about which users should have access to your organization’s data and applications, on premises or in the cloud.
Infuse cloud IAM with the deep context necessary for risk-based authentication. Enable low-friction, secure access for your consumers and workforce with IBM Security Verify cloud IAM solutions.
Go beyond basic authentication with options for passwordless or multifactor authentication.
IAM is a cybersecurity discipline focused on managing user identities and access permissions on a computer network.
MFA is an identity verification method that requires users to provide two or more pieces of evidence to prove their identities.
Cost of a Data Breach report better prepares one for breaches by understanding their causes and the factors that increase or reduce their costs.
IBM Security Verify is a leading identity and access management (IAM) platform that provides AI-powered capabilities for managing your workforce and customer needs. Unify identity silos, reduce the risk of identity-based attacks, and provide modern authentication, including passwordless capabilities.
All links reside outside ibm.com
1 Android malware can steal Google Authenticator 2FA codes, ZDNET, 26 February 2020
2 '1m fingerprint' data leak raises doubts over biometric security, ScienceDirect, September 2019
3 You no longer need a password to sign in to your Google account, The Verge, 3 May 2023
4 PCI DSS: v4.0, Security Standards Council, March 2022
5 In the Matter of Drizly, LLC, Federal Trade Commission, 10 January 2023