What is 2FA: two-factor authentication?
Learn how 2FA protects user accounts, defends organizations against cyberattacks, and supports a zero-trust security approach.
Isometric illustration of two-factor authentication process
What is 2FA?

2FA, or two-factor authentication, is an identity verification method that requires a user to provide a second authentication factor in addition to a password or two authentication factors instead of a password in order to access a web site, application or network. For example, when an online banking app requires a customer to enter both a password and a verification code sent to the customer’s mobile phone by SMS text, the app is using 2FA.

Because it takes more work to hack a second authentication factor, and because other types of factors are more difficult to steal or falsify, 2FA improves account security and better protects an organization and its users from unauthorized access.

2FA is the most commonly used type of multi-factor authentication (MFA) – authentication requiring at least one authentication factor in addition to a password, or at least two authentication factors instead of a password.

Types of authentication factors used in 2FA

Two-factor authentication reduces the risk of unauthorized access in two ways. First, it forces hackers to hack two factors instead of just one. Second, at least one of the factors required by 2FA is more difficult to hack than a password.

Ultimately, the strength of any 2FA scheme depends on the types of authentication factors it requires a user to provide.

Knowledge factors: Something the user knows

In the vast majority of 2FA implementations, a knowledge factor serves as the first authentication factor. A knowledge factor is a bit of information that, theoretically, only the user would know. A password is the most common knowledge factor; personal identification numbers (PINs) and answers to security questions are others.

Despite their widespread use, knowledge factors in general — and passwords in particular — are the most vulnerable type of authentication factor. Hackers can obtain passwords and other knowledge factors through phishing attacks, installing keystroke recorders or spyware on users' devices, or staging brute-force attacks — running scripts or bots that generate and test potential passwords until one works.

Other types of knowledge factors don't present much more of a challenge. Answers to some security questions — e.g., “What is your mother's maiden name?” — can be cracked easily through basic research or social engineering attacks, in which hackers trick users into divulging personal information. Other security questions — e.g., “Where did you go on your honeymoon?” — can be relatively easy to guess. Small wonder that compromised credentials were the most commonly exploited initial attack vector in 2021, accounting for 20 percent of all data breaches.

It’s worth noting that the still common practice of requiring a password and a security question — two knowledge factors - is not 2FA; it’s two-step verification. True 2FA requires two different types of authentication factors.

Possession factors: Something the user has

Possession factors are physical objects users carry with them, containing information required to authenticate. There are two types of possession factors: software tokens, and hardware tokens.

Today, most software tokens are one-time passwords (OTPs) — time-expiring 4- to 8-digit passcodes that are sent to a user’s phone via SMS text message (or email, or voice message), or generated by an authenticator app installed on the phone. Authenticator apps can generate tokens without an internet or cellular connection. The user pairs the app with accounts by scanning QR codes displayed by service providers; the app then continuously generates time-based one-time passwords OTPs (TOTPs) or other software tokens for each account, typically every 30-60 seconds. The most commonly used authenticator apps include Google Authenticator, Authy, Microsoft Authenticator, LastPass Authenticator, and Duo, which uses push notifications rather than TOTPs.

Hardware tokens are dedicated devices - fobs, ID cards, dongles — that function as security keys. Some hardware tokens plug into a computer's USB port and transmit authentication information to the login page; others generate security codes for the user to enter manually when prompted.

Possession factors offer several advantages over knowledge factors. To impersonate a user, at the time of log-in a hacker needs to have the physical device in hand or intercept the transmission to the device to acquire the OTP or TOTP before it expires.

But possession factors aren’t uncrackable. Physical tokens and smartphones can be stolen or misplaced. While OTPs and TOTPs are more difficult to steal than traditional passwords, they are still susceptible to sophisticated phishing or man-in-the-middle attacks. And OTPs are vulnerable to SIM cloning - creating a functional duplicate of the victim's smartphone's SIM card.

Inherent factors: Something unique to the user as a person

Inherent factors, also called biometrics, are physical characteristics or traits unique to the user — a fingerprint, a voice, facial features, or iris and retinal patterns. Today mobile devices can be unlocked using fingerprints or facial recognition; some computers can use fingerprints to enter passwords into websites or applications.

Inherent factors are the most difficult factors to crack: They can't be forgotten, lost, or misplaced, and they are extraordinarily difficult to replicate. But that doesn't mean they're foolproof. If inherent factors are stored in a database, they can be stolen. For example, in 2019, a biometric database containing 1 million users' fingerprints was breached. Theoretically, hackers could steal these fingerprints or link their own fingerprints to another user's profile in the database.

When biometric data is compromised, it can't be changed quickly or easily, making it difficult for victims to stop attacks in progress.

Behavioral factors: Something the user does

Behavioral factors are digital artifacts that verify a user's identity based on behavior patterns. Examples include an IP address range or the location data indicating the area from which a user typically logs into an application.

Behavioral authentication solutions use artificial intelligence to determine a baseline for users' normal behavioral patterns and then flag anomalous activity, such as logging in from a new device, phone number, web browser, or location. Some 2FA implementations leverage behavioral factors by allowing users to register trusted devices as authentication factors. While the user may need to manually supply two factors at first login, use of the trusted device will automatically act as the second factor in the future.

Behavioral factors are commonly used in adaptive authentication, also called “risk-based authentication.” In this system, authentication requirements change when risk changes — such as when a user attempts to log in from an untrusted device, attempts to access an application for the first time, or attempts to access particularly sensitive data. Adaptive authentication schemes typically permit system admins to set separate authentication policies for each type of user or role. Low-risk users may only need two factors to log in, whereas high-risk users — or highly sensitive apps — may require three or more factors.

While behavioral factors offer a sophisticated way to authenticate users, they require significant resources and expertise to deploy. Moreover, if a hacker gains access to a trusted device, they can use it as behavioral authentication factor.

Passwordless 2FA

Because compromised knowledge factors are the most common initial vector in cybersecurity breaches, many organizations are exploring passwordless  authentication — authentication that relies on possession, inherent, and behavioral factors to verify identities. Passwordless authentication reduces vulnerability to attacks that target passwords, such as phishing attacks and credential stuffing, in which hackers use credentials stolen from one system to gain access to another.

While most current 2FA methods use passwords, industry experts anticipate an increasingly passwordless future as more organizations move away from what is widely considered the weakest link in the identity verification chain. This is likely to drive the adoption of passwordless 2FA systems, in which users must provide two different types of non-knowledge factor authentication credentials. For example, asking a user for a fingerprint and a physical token would constitute a passwordless 2FA configuration.

2FA and regulatory compliance

In response to the rising tide of cyberattacks, many government and industry regulations now require MFA for systems that handle sensitive data. For example:

  • The Internal Revenue Service (IRS) mandated MFA for providers of online tax preparation systems in 2020. 
  • President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity made MFA a requirement for all federal agencies. A follow-up memorandum requires all national security, Department of Defense, and intelligence community systems to implement MFA by August 18, 2022. 
  • The Payment Card Industry Data Security Standard (PCI-DSS) explicitly requires MFA for systems that handle credit card and payment card data.

Two-factor authentication methods meet the minimum level of compliance with these and other regulations. Many other regulations, including the Sarbanes-Oxley Act (SOX) and HIPAA, strongly recommend using at least 2FA as a means of achieving compliance.

2FA, single sign-on and zero trust

Single sign-on (SSO) is an authentication method allowing users to access multiple related applications and services through one set of login credentials. The user logs in once, and an SSO solution authenticates their identity and generates a session authentication token. This token acts as the user's security key for various interconnected applications and databases.

To alleviate the risk of relying on a single set of credentials for multiple applications, organizations often enable 2FA for SSO logins. This provides an extra layer of security by requiring two different authentication factors before a user can access the SSO session.

Organizations may implement adaptive authentication for SSO, combining 2FA for the initial log-in and access to less-sensitive applications and content, and requiring additional authentication factors when the user attempts to access more sensitive data or demonstrates abnormal behavior (such as attempting to connect through an unrecognized VPN). This is particularly common in zero trust cybersecurity architectures, where a user’s identity is never trusted and always verified as the user moves about the network.

Related Solutions Identity and access management (IAM)

Connect every user to the right level of access with IBM Security® Verify IAM solution.

Cloud IAM solutions

Infuse cloud IAM with deep context for risk-based authentication to enable frictionless, secure access for your consumers and workforce.

Identity governance and administration (IGA)

Enable a risk-aware, extensible IAM governance across on-premises and hybrid cloud environments.

Single sign-on (SSO) authentication

Centralize access control for cloud and on-prem applications.

Adaptive access

Protect users and assets proactively with AI-assisted, risk-based authentication with IBM Security Verify.

Zero trust solutions

Discover security solutions wrapped around every user, every device and every connection.

Resources IAM (Identity and Access Management) Zero trust Mobile security Security controls Cloud security Insider threats