What is Two Factor Authentication (2FA)?

Two-factor authentication (2FA) enhances account security by using two methods of authentication to verify a user’s identity. 2FA is commonly used to provide a second layer of security in addition to traditional passwords. Some 2FA systems do away with passwords altogether.

Two-factor authentication can sometimes be inconvenient for users, but it is widely recognized as an important security measure that can prevent credential theft and fraud.

In this article:

Why is 2FA Important?
2FA vs. MFA
What Are Authentication Factors?
How Does 2FA Work?
Common Types and Examples of Two-Factor Authentication
2FA: Benefits and Challenges
Best Practices for Implementing and Managing Two-Factor Authentication

Why is 2FA Important?

Two-factor authentication means an application or service double-checks that a request is actually coming from a user, by verifying their login using two different methods.

2FA immediately eliminates the risk associated with password compromise. Even if a password is hacked, guessed, or phished, this is not sufficient to gain unauthorized access. Compromising a password alone is useless to an attacker.

In addition, 2FA creates an environment where users are more aware of secure access concerns. When a 2FA notification reaches the user, the user must say if they initiated the session, or if someone else is trying to access their account. This underscores the importance of security in all transactions. Other cybersecurity technologies are reactive and do not engage end users as collaborators, but 2FA has the potential to create a partnership between users and administrators.

2FA vs. MFA

Two-factor authentication (2FA) involves two steps to identify a user. 2FA also prevents identity theft by using time-sensitive, one-time passwords.

Multi-Factor Authentication (MFA) involves two or more steps or processes to identify a user.

Companies with strict security requirements, such as healthcare facilities, government agencies, and financial services, often choose multi-factor authentication over two-factor authentication. In general, the more authentication methods are used, the more secure user access will be.

Related content: Read our guide to multi-factor authentication

What Are Authentication Factors?

There are several methods to authenticate a person—these are known as authentication factors. Two-factor authentication can use any of the following:

Knowledge factors such as passwords, security questions, or personal identification numbers (PIN)
Possession factors such as physical security tokens, access control apps on a user’s smartphone or mobile device, or a government-issued ID card.
Time factors restricting access to specific times of the day, week, month, or year.
Location factors restricting access to specific devices and/or tracking the geographic location of an authentication attempt. This could be done via IP address, Global Positioning System (GPS) data, or via location features in web browsers or mobile devices.
Biometric factors such as fingerprints verified by a fingerprint reader, a user’s face processed by a face recognition algorithm, or the user’s voice or speech patterns.

How Does 2FA Work?

Two-factor authentication combines two different authentication factors. The first element is usually the password (a knowledge factor). The second element is typically something the user owns (a possession factor) or something the user is (an inherence factor).

In many two-factor authentication (2FA) systems, the first authentication step requires the user to present a knowledge element such as a password, and in a second step, present an ownership or inheritance factor. For example, a possession factor could be a mobile device that sends a push notification, while an inherence factor could be a face recognition system.

Common Types and Examples of Two-Factor Authentication

Here are the most commonly used 2FA mechanisms:

Hardware Tokens for Two-Factor Authentication

A hardware token is a small keyfob-like device that produces a new numeric code every 30-seconds. Once a user attempts to access an account, the system requires them to enter the code displayed on the device’s screen into the website or application.

Some hardware token types can automatically transfer the 2FA code when plugged into a computer’s USB port. Banks commonly use these hardware tokens to help their customers securely log into their online and mobile banking accounts.

SMS Text-Message

SMS-based 2FA is a mechanism that interacts directly with the user’s phone. Once the user enters their username and password into the site, the mechanism sends them a unique one-time passcode (OTP) through a text message. Next, the system requires the user to enter the OTP into the application or website before gaining access.

Software Tokens for 2FA

Software tokens are a highly popular form of 2FA that leverages a software-generated, time-based one-time passcode commonly known as TOTP or soft token. This mechanism requires the user to download and install a free 2FA app on a desktop or smartphone. They can use the app with any website that supports this authentication form.

As with other 2FA forms, the user must first enter their username and password. When prompted, the user needs to enter the code displayed on the 2FA app. Like hardware tokens, a TOTP is usually valid for less than a minute. Since the code is generated and displayed on the same device, TOTPs eliminate the chance of threat actor interception.

Push Notification for 2FA

Applications and websites can send push notifications to users when detecting an authentication attempt. If the user is the one attempting to log into the system, they can approve access using the notification and access their account. Otherwise, they can deny access using a single touch and notify the service provider that someone else has attempted to log into their account.

The push notification method does not require entering passwords, code, or other interactions. Push notifications establish a direct and secure connection between a service provider, a 2FA service, and a device, helping prevent Man-in-the-Middle (MitM) attacks, phishing, and unauthorized access.

2FA: Benefits and Challenges

Benefits of 2FA

The direct benefit of 2FA is reducing fraud and identity theft.
Adding a layer of security increases customer trust in your organization’s security measures and gives them peace of mind about the safety of their personal data.
2FA helps an organization comply with industry standards, many of which have specific requirements for access control.
An investment in 2FA can reduce costs. Without 2FA, there is a need to assist users with password resets, notify customers in case of unusual access attempts, and investigate security incidents.

Challenges of 2FA

Many users report that the two-factor authentication is inconvenient. This can make it more difficult for an organization to recruit new users, or lead to dissatisfaction of existing users.
2FA doesn’t provide complete authentication on its own. Instead, it authenticates the device on the assumption that the owner of a particular device is the only person using the device, which may not be correct in practice.
Attackers have many ways to steal or compromise a user’s device, and can then impersonate the user and subvert some 2FA methods.
Hackers can break into a two-factor authentication system without physically obtaining a device, via SIM cloning. This technique re-routes authenticated SMS messages from the target phone to the hacker’s device. The use of a Time-Based One-Time Password (TOTP) algorithm can prevent these scenarios.
Social engineering attacks might be effective against 2FA. Criminals can pretend to be a bank or a trusted agent, contacting a user and asking them to verify the password they received, or using a phishing attack to trick a user into visiting a malicious website and submitting their details there. Attackers can also impersonate a user and contact a mobile carrier to conduct another form of SIM cloning attacks.
Hackers do not require much skill or effort to perform a 2FA attack.

Best Practices for Implementing and Managing Two-Factor Authentication

Create a Comprehensive List of Access Points

The first step in building a two-factor authentication system is to inspect all assets, applications, and services used on your organization’s network. This can be time consuming, and you may need to consider everyday apps like email and internal communication tools like Slack.

Once you’ve listed everything from emails to database access, identify systems that have access control that is insufficient for their security requirements. You should only enable 2FA on access points that require this level of security.

Choose Authentication Factors Based on Organizational Requirements

Not all access points require the same authentication policy. Instead of choosing an off-the-shelf solution and adding it on top of your infrastructure, identify what hardware and software you currently use, and how it can be leveraged to create the best 2FA implementation process.

For example, if all employees have company-owned smartphones, a smartphone app could be one of the authentication factors implemented.

Create the Optimal Trade-off Between Usability and Security

Too many authentication steps can create a negative experience for users and lead to churn, or hurt productivity for applications used by employees. Two-factor authentication should only be implemented at critical points. If desired, 2FA can be combined with other methods such as SSO to improve security while making the authentication process more seamless.

Regularly Evaluate and Update the Authentication Plan

Organizations are dynamic, and constantly adding new technology, including new types of devices, cloud systems, and Internet of Things (IoT) devices. With new access points added every day, and constantly changing user roles are also constantly changing, there is a need to continuously re-evaluate access control. You should periodically reevaluate a two-factor authentication strategy to ensure it matches your current technical setup and the devices and workflows currently in place.

Authentication for SaaS with Frontegg

Frontegg’s two-factor authentication solution provides a flexible authentication as a service for all use-cases. Starting from a powerful use based authentication, including powerful authentication protocols such as OAuth, Open ID connect, SAML and WebAuthN all the way to granular security policies such as MFA, User lockouts, Device verification and much more.

Signup for free

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.