What is Two-Factor Authentication?
Two-factor authentication adds an extra layer of security, helping protect users and private information.
By Brian Segal
In the modern age of cybersecurity, strong passwords are vital. But good passwords aren’t always enough. Even great passwords can be exposed in data breaches. Two-factor authentication (2FA) protects you from the things that are beyond your control.
But what is two-factor authentication? And just how does it protect you from things like leaked passwords? That’s a strong claim. Here’s how two-factor authentication works, to make the security claims about two-factor authentication more believable.
What is Two-Factor Authentication?
What is two-factor authentication? Two-factor authentication is an authentication method that requires a user to present two forms of authentication to access a device, account, or system. Most two-factor authentication systems use a password and a single-use code to grant users access to 2FA protected resources.
Two-factor authentication is also sometimes called “double authentication” or “dual authentication.” And not all 2FA systems use a password and a unique code. Some two-factor authentication systems use a password and a 2FA token or a physical key.
But the method is the same: the user must have two pieces of evidence to verify that they are authorized to access the resource. This significantly enhances the security of password protected systems.
Are Passwords Still Safe?
Using k2FA raises the question, “are passwords safe?” Yes, strong passwords are still a powerful security measure. However, passwords can be leaked or stolen. Implementing two-factor authentication helps keep your assets protected, even if a bad actor gets a hold of your password.
To be fair to passwords, 2FA isn’t perfectly bulletproof, either. A very dedicated cybercriminal could do the work to steal a password and breach the second authentication device. But this is incredibly difficult.
The criminal would need to access the password, determine which 2FA device is associated with that password, then breach that device. That’s a complicated heist.
In short, password security measures work, if you create strong passwords. But supporting your passwords with two-factor authentication makes it nearly impossible to breach your defenses by simply tricking the authentication system.
Real World Examples of 2FA
Email addresses are one of the most critical assets to protect. If your email address is compromised, cybercriminals can use your email address to access other accounts by going through the process of resetting your passwords using the emailed link.
That’s why Google offers two-factor authentication. If you assign a text-capable phone number to your Google account, Google will text a single-use code to that number whenever you enter your password to log into your account. Google also offers an authentication app for even more secure 2FA.
Your Amazon account houses a lot of personal information—billing and shipping addresses, credit card numbers, phone numbers, and even information about your personal preferences that can be used in social engineering scams.
To protect all this information, Amazon offers 2FA to protect your Amazon account. Like Google, Amazon also sends a text message with a code whenever you enter your Amazon password.
Amazon considers two-factor authentication to be so important that they also offer alternative authentication methods for users who can’t receive texts, to ensure that everyone can use it.
Wealthfront is a financial institution that manages checking, savings, and investment accounts. Given the sensitivity of the information they handle, Wealthfront goes one step further with their two-factor authentication.
Wealthfront also time limits their 2FA codes. If you haven’t entered your 2FA code and logged into your account within five minutes, the code expires and you’ll have to enter your password again and get a new one.
The time sensitive nature of the two-factor authentication codes makes Wealthfront accounts that much more secure. If a bad actor has breached the second device, they may not be able to access the two-factor authentication code immediately. So the time limit may prevent unauthorized access, even in the worst case scenarios.
Why Two-Factor Authentication is Better
The obvious reason why two-factor authentication is better is that it’s more secure. Any lock that requires two keys is inherently more secure than a lock that requires just one key. Using two-factor authentication is like requiring two keys for each lock in your cybersecurity system.
However, there’s another benefit to 2FA: it’s convenient. One of the biggest challenges in security is creating powerful security systems that people will actually use. The more secure a system gets, the more inconvenient it gets for people who need to access that system.
If your security method is too complex, legitimate users will try to find ways to bypass it. They’ll write down their passwords or stash keys in places that are easier to access. It’s not that they don’t care about security. It’s just that they want to get to the things they need as quickly and easily as possible.
Two-factor authentication is far more secure than just a password. It’s difficult for legitimate users to bypass for the sake of convenience. And 2FA is convenient enough that people won’t even bother trying to get around it.
Two-Factor vs Passwords
Password protection is a legitimate security method. Good passwords are a remarkably secure type of key. The problem is that passwords can be stolen or leaked. And, unfortunately, passwords are more easily compromised than physical keys. The internet makes it possible for people all over the world to steal passwords.
If a resource is protected with just a password, simply getting a hold of the password gives a criminal access to that resource until the password is changed. And cybercriminals often change passwords once they’ve breached a system to make it more difficult for you to recover access to that system.
Two-factor authentication prevents an account from being breached if only the password is compromised. The second authentication method will stop anyone who obtained the password illicitly from accessing the account.
Additionally, failing the second authentication check shows as a failed login attempt. So your 2FA system can also serve as an alert for when a password has been compromised. 2FA is simply more secure because it supports your passwords with an additional layer of security and gives you more visibility into who is trying to access your accounts and systems.
Here’s How 2FA Works
How 2FA works is by requiring users to present a username and password and some other form of authentication before they’re allowed to log in.
The three types of authentication are:
- Something you know - Like a username and password combination
- Something you have - This is something in your position, like a phone or other device
- Something you are - A biometric, like a fingerprint
Most 2FA systems use an automated process that sends the second form of authentication through a secondary channel like email or SMS, to confirm something you have, whether it be a phone or a laptop.
Most commonly, when a user enters their username and password, the 2FA system uses the contact information on the user’s account to send the second piece of evidence that the user needs to finish logging in. It’s very common to send a six-digit code that can only be used to log in one time.
Usually, the code is emailed or texted. But 2FA systems can also use automated phone calls to deliver a 2FA code. Authentication aps, physical keys, and fingerprint scanners can also be used to support passwords in two-factor authentication systems that require higher levels of security.
Requiring users to answer a security question or enter a pin number to log in are also two-factor authentication methods. However, these are less common 2FA methods because they rely on information that could be scraped from other places on the internet like social media profiles.
No matter what you use as the second form of authentication, the concept of two-factor authentication is that your security system asks for the user's identity in the form of a username and password. If the username and password are correct, the system then prompts the user for a second piece of information that proves their identity and that they have permission to access the resource.
If both pieces of evidence are valid, the user is granted access to that resource. It’s a very secure method that’s easy to implement and streamline, so everyone is better protected.
Types of Two-Factor Authentication
As we mentioned in the last section, there are several types of two-factor authentication. These are the most common types of two-factor authentication, which work in almost every use case.
SMS Based 2FA
SMS based 2FA is by far the most common type of two-factor authentication. Most people can receive text messages. And text based 2FA is simple and affordable.
You don’t even need a standard phone number to use SMS based 2FA. All you need is a short code number. And the short code that you use for text based 2FA doesn’t even need to be capable of receiving texts, since people don’t need to respond to an SMS 2FA text.
All you need is a simple system that detects when a user is attempting to log in, retrieves the phone number associated with the username and password, and an automated SMS system that sends an auto-generated code to that phone number.
With a quality SMS two-factor authentication provider that offers good APIs and support, you can be up and running with text based 2FA in a matter of hours.
Application Based 2FA
Application based 2FA can be more secure than SMS based 2FA. However, application based 2FA is handy because it works on similar technologies as text based 2FA.
With application based 2FA, users download a proprietary authentication app to their devices. Whenever they need to log into a protected asset, the security system pushes a 2FA code to the app and the user enters the code to finish logging in.
The thing that makes this more secure than text based 2FA is that you can require the user to supply their username and password to login to the authentication app itself. And compromising the authentication app requires access to the user’s device or the authentication app itself.
SMS messages, on the other hand, can be intercepted without access to the users device or compromising any proprietary software. So application based 2FA provides a few more layers of security to your 2FA system without inconveniencing users that much.
Push Based 2FA
Push based 2FA is often used as part of a passwordless two-factor authentication system or as one step in multi-factor authentication. However, it also works in conjunction with passwords.
Push based 2FA sends a push notification to a secondary device (usually a smartphone or tablet) when the user enters their username and password. The push notification requires the user to take some action to complete the two-factor authentication process.
Often the action is as simple as moving a slider or swiping up. But push based 2FA can be configured to require a preset pattern or a pin number.
The key with push based 2FA is that it works best with two devices. If the push notification is sent to the same device that the user is attempting to login from, it compromises the two-factor authentication system, because push based 2FA relies on device possession to achieve proper two-factor authentication.
Security Key Based 2FA
Security key based 2FA tends to be reserved for systems that require the highest levels of security, because it’s the most resource intensive. Typically, security key based 2FA uses a USB drive as the security key. The user must insert the USB drive as part of the login process.
Security key based 2FA is the most secure form of 2FA because it requires a physical key and the key never gets used for anything else.
One of the challenges with using smartphones as authentication keys is that smartphones are used for a lot of other things. The other apps and functions of the phone can be used to compromise the security key that’s stored on the phone.
A USB drive or a USB keycard are only used as keys. So it’s very difficult to compromise them without physically obtaining them. However, security keys are more expensive than most other 2FA methods. And a stolen key could compromise other security keys, if the thief can read the information on the key and use it to create a fake key.
Two-Factor Authentication with Telnyx
The bottom line is that two-factor authentication is a huge security upgrade over using just passwords. And implementing two-factor authentication is simple and affordable.
Security breaches happen every day. Adding 2FA will help protect you from the next cybersecurity disaster.
Sign up for a free Telnyx Mission Control Portal account to start using 2FA and stop worrying about lost, leaked, or stolen passwords.