What is Two-Factor Authentication?

Data breaches are more common these days and they have an alarming impact on businesses globally—totaling more than $2 trillion in annual damages. As organizations work to secure their digital infrastructure and assets, it’s clear that single-factor authentication (and especially password-based authentication) is far from enough. Passwords are easily compromised, especially due to poor password hygiene, but also because they are rarely changed, re-used across accounts, frequently shared, and often stored in an unsecured location.

Adding a second factor to authenticate users is necessary in just about every enterprise use case today.

Two-factor authentication provides an added layer of protection against many of the most common types of cyber threats, including:

• Stolen passwords: As mentioned above, poor password hygiene makes it easy to steal passwords. 2FA ensures that a stolen password is not all that’s needed to breach an account.
• Brute-force attacks (password hacking): Hackers use increasingly accessible computing power to randomly generate passwords until they “crack” the code. But computing power can’t hack a second factor.
• Phishing: Phishing remains one of the most common — and most effective — means of stealing user credentials. Again, 2FA protects against unauthorized access in the event that a username and password are stolen via a phishing attack.
• Social Engineering: Clever hackers increasingly use social media to launch attacks that trick users into willingly giving up their credentials. But without the second factor, the hacker cannot access the account.

The basic 2FA login workflow is familiar to almost everyone by now. While the specifics differ based on the factors used, the basic process is as follows:

1. Application/website prompts the user to log in.
2. The user provides the first factor. This first factor is almost always something the user “knows,” such as the username/password combo, or a one-time passcode generated by a hardware token or smartphone app.
3. The site/app validates the first factor and then prompts the user to provide the second factor. This second factor is typically something the user “has,” such as a security token, ID card, smartphone app, etc.
4. Once the site/app has validated the second factor, the user is granted access.

Authenticators and authentication tokens encompass four main categories: something you have, something you know, something you are, or where you are.

• Something you have: A physical access card, a smartphone or other device, or a digital certificate
• Something you know: A pin code or password
• Something you are: Biometrics, such as fingerprints or retina scans

The classic username/password combination is technically a rudimentary form of two-factor authentication. But because both the username and password fall into the “something you know” category, this combination is more easily compromised.

Hardware tokens

Hardware tokens are small physical devices users present to gain access to a resource. Hardware tokens can be connected (i.e., USB, smart card, one-time password key fobs) or contactless (i.e., Bluetooth tokens). These tokens are carried with the user. The very first form of modern 2FA, introduced in 1993 by RSA, used a handheld device with a tiny screen that displayed randomly generated numbers that were matched against an algorithm to validate the holder of the device. Hardware tokens also can be lost or stolen.

SMS-based tokens

As cellphones became more common, SMS-based 2FA quickly became popular. The user enters their username and then receives a one-time passcode (OTP) via SMS (text) message. A similar option uses a voice call to a cell phone to provide the OTP. In both cases, the transmission of the OTP is relatively easy to hack, making this a less-than-ideal form of 2FA.

App-based tokens

The advent of smartphones and other smart mobile devices has made app-based 2FA very popular. Users install an app on their device (also can be used on a desktop). When they log in, the app provides a “soft token,” such as an OTP, that is displayed on the device and must be entered on the login screen. Because the soft token is generated by the app on the device, this eliminates the risk of the OTP or soft token being intercepted in transmission.

Push notifications

Perhaps the most seamless and convenient from a user perspective, 2FA via push notification doesn’t ask the user to enter a soft token. Instead, a website or app directly sends a push notification to the user’s mobile device. The notification alerts the user of the authentication attempt and asks the user to approve or deny access with a single click or tap. This method of 2FA is highly secure and extremely convenient, but it depends on internet connectivity.

Passwordless Authenticators

The types of authenticators available have evolved to include passwordless options such as FIDO, biometrics, and PKI-based digital credentials for authentication.

2FA vs. MFA: What's the difference?

Two-factor authentication (2FA) requires users to present two types of authentication, while multi-factor authentication (MFA) requires users to present at least two if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA. While multi-factor authentication can require any combination of authenticators and authentication tokens to gain access to a resource, application, or website, 2FA authentication only requires two predefined authenticators to access a resource. Depending on your organization’s needs, 2FA authentication might provide the step-up in security that your organization is searching for while enabling a frictionless experience for end-users.

The various types of factors that can be used to enable two-factor authentication are discussed above. But even within each type of authenticator, there are many different options to choose from — and new technologies coming out constantly. How do you choose which factors to use for your 2FA protocol? Here are a few questions to help you consider the right choice:

• Do you want authentication to be transparent to the user?
• Would you like the user to carry a physical device or authenticate online?
• Do you want the website to authenticate itself to the user as well?
• How sensitive is the information you are protecting and what is the associated risk?
• Is physical access (link) to offices, labs, or other areas part of your user requirement?

Entrust provides the expert guidance to step up your security with high assurance multi-factor authentication. We support the widest range of 2FA security authenticators, allowing you to choose the best option to fit your security needs and use cases. More importantly, Entrust can provide expert, consultative guidance to help you select the right option(s) and simplify your shift to high-assurance, two-factor authentication.

Two-factor authentication is the most ubiquitous form of multi-factor authentication, which makes it a perfect fit for use cases where a variety of people need access to data. For instance, healthcare applications commonly use 2FA because it enables physicians and other clinicians to access sensitive patient data on demand — often from personal devices.

Similarly, 2FA banking and finance applications can help protect account information from phishing and social engineering attacks while enabling mobile banking for consumers.

Industry applications for 2FA:

• Healthcare
• Banking
• Retail
• Higher education
• Social Media
• Government/Federal institutions

What are the threats/risks of two-factor authentication?

There are several approaches that hackers employ in an attempt to thwart MFA and 2FA. They include:

• Social engineering: In a social engineering attack, hackers pose as a legitimate source asking for personally identifiable information.
• Technical attacks: Technical attacks include malware and trojans.
• Physical theft: Physical possession of a smartphone or other mobile device by a bad actor can pose a threat to 2FA.
• Subverting account recovery: Because the password reset process often bypasses 2FA, hackers can sometimes leverage just a username to subvert 2FA.

2FA provides a major step up from single-factor authentication — particularly traditional password-based authentication and all its human-factor flaws. It is secure enough, but multi-factor authentication (MFA) is now considered the de facto solution for authenticating users. Compliance requirements like PCI DSS also have replaced 2FA with MFA and government entities are mandating MFA across federal institutions. With MFA, there is the ability to add more form factors (not passwords) to enhance security. Using biometrics for user authentication in combination with device verification and adding risk-based contextual controls enables evaluation of the user’s and device’s risk posture before granting access. MFA with passwordless options and risk-based adaptive authentication is the way forward for enhanced security.

What are the most common authenticators/authentication tokens?