Two-Factor Authentication is a buzzword we’ve been hearing more and more over the past several years. At this point, most people reading this article have probably used two-factor authentication—whether they realize it or not. Still, though, even if you have heard the term you might not know exactly what it means.
What’s defines two-factor authentication? What’s the difference between two-factor authentication and multi-factor authentication? What’s even is an authentication factor? Why can’t we just use passwords? Read on if you’d like to learn more about how two-factor authentication works, and why so many companies are opting to use it to improve security.
What Defines Two-Factor Authentication?
Two-Factor Authentication (TFA) is when a user verifies their identity by using two distinct “Authentication Factors.” That, of course, begs the question: what is an authentication factor?
The most familiar authentication factor we use online is a password. We prove our identity by providing a piece of information (the password) that no one else would know. Because a password is something an individual knows, it’s called a “knowledge factor.” There are several different types of authentication factors, such as:
Knowledge Factors:
- Passwords
- Pin Numbers
- Challenge Responses (e.g., “what’s your mother’s maiden name?”)
Possession Factors:
- A keycard you swipe for access
- A phone on which you receive access codes
Location Factors:
- Website only accessible in certain restricted locations
- Credit card freezing if suddenly used outside of the country
Time Factors:
- One-time code that must be used within a short window of time
Biometric Factors:
- Iris scan
- Voice verification
- Facial scan
Two-Factor Authentication (TFA) is when a verification process requires exactly two security factors, and each security factor is a different “type” of factor. For example, a TFA process might require a password (a knowledge factor) and a facial scan (a biometric factor). That process requires two factors (a password and a facial scan), and those factors are two different types (a knowledge factor and biometric factor, respectively).
Having the two factors be from different types is key. If we had a process that would require a facial scan (a biometric factor) and an iris scan (another biometric factor), the process would not be TFA because both of the two factors are biometric factors.
Single-Factor vs. Two-Factor vs. Multi-Factor Authentication
Single-factor authentication is a verification process that uses only one security factor of any type. An example of Single-factor authentication would be using a facial scan to open an iPhone. Single-factor authentication is the simplest and lowest cost to set up, but it is also the least secure.
Two-factor authentication, as already discussed, uses exactly two factors, where each factor is a different type. An example of Two-factor authentication would require entering a pin number (knowledge factor) and swiping a physical debit card (possession factor) to authorize a purchase. Two-factor authentication requires a more involved setup, and could be more difficult to use, but provides a substantial increase in security.
Multi-factor authentication is a lot like two-factor authentication: it uses at least two-factors from at least two different types of security factors—but it can use more as well. So, two-factor authentication is the simplest version of multi-factor authentication. A multi-factor setup might require you to enter a passcode (knowledge factor), do a facial scan (biometric factor), and swipe a keycard (possession factor). Multi-factored authentication that uses three or more factors may be ideal for protecting highly sensitive data, but in most cases, the added protection will be overshadowed by the added inconvenience for the user.
Why use Two-Factor Authentication?
Sometimes TFA can feel annoying. You’re just trying to log on to a website, but now you have to check your phone and enter in a security code. While this is an inconvenience, the purpose is to prevent a much bigger inconvenience: getting hacked.
There are two primary advantages to TFA. The first advantage is that TFA makes it orders of magnitude more difficult for cybercriminals to access sensitive data. Those few seconds it takes to enter the security code could prevent major damage and loss of data. More subtly, the second advantage is that TFA allows websites to be more confident that they are showing the right information to the right person.
Why is a password not good enough?
Passwords are good when the stakes are low, but in most cases just won’t cut it. Passwords are often stored poorly. Often, people write them down and keep them in their desk, forget to delete them off of old hard-drives, or memorize (and then forget) them. Ultimately this leaves passwords vulnerable to phishing and other external threats.
That said, passwords still have their place. They are the most common and most familiar security factor used online, which makes them easy to implement. Passwords are also a low-cost solution. So, if the information is not too sensitive, the audience is not tech-savvy, and the solution needs to be implemented quickly at a low cost—a simple, single-factor authentication using a password might be the way to go.