What Is Two-Factor Authentication (2FA)? How Does It Work?

Passwords alone do not offer sufficient security against new types of cyber attacks. Luckily, there are many ways to protect accounts on all sorts of services via secure authentication methods. Generally, the more the number of authentication items a given account requires, the better is the protection against hacking attempts. Regardless of which authentication method is chosen, it all depends on knowledge factors. Knowledge factors are pieces of information that only the owner of the account knows. Another type of factor that can increase account security is the possession factor. The possession factor refers to any information item that the owner of a given account possesses, usually, in physical forms such as a cell phone, smartphone app, authentication app, ID card, security key or security token. This is where the ideas of two-factor authentication (2FA) and/or multi-factor authentication come in.

2FA Definition

What is 2FA?

2FA is a form of multi-factor authentication which is a method to secure online identity and account access. Once enabled on an account, via electronic authentication, the owner of the account must provide two identification items. Without this 2-step verification, the user cannot access any sensitive or personal data nor any resources that require account authentication. Methods such as 2FA offer the opportunity to businesses as well as individuals to safeguard sensitive information across networks. 2FA can also help to enhance the monitoring abilities of a given network. Without any need for physical information items, 2FA is the perfect way to secure accounts against advanced forms of hacking attempts.

Why are Passwords Not Good Enough Anymore?

For companies, passwords are not good enough anymore for the simple reason that a lot of resources need to be spent to remove user accounts and passwords once an employee leaves the company. As a result, companies don’t fully remove privileges offered to former employees. The former employee, thus, has access to information that should be private.

Another reason why passwords are not very secure now is because of mishandling. Once a malicious actor finds a password, unauthorized personnel are free to access the compromised network and/or service indefinitely. Even worse, no one in charge of security may even notice out of the ordinary.

An image featuring strong password being unlocked concept

Perhaps the most concerning reason is that malware has gotten very good at stealing passwords via software-based solutions and physical keyloggers. Organizations as well as individuals, simply can’t afford to rely on passwords anymore.

Writing down passwords on sticky notes amongst a host of other materials (including physical notebooks, the backside of a laptop, and one’s business card) has made stealing passwords even easier.

Passwords are also not secure anymore because traditional techniques to improve password strength are not paying off. Some cybersecurity experts recommend choosing passwords that are complex and long. While this tip works for a lot of users, long and complex passwords are not unhackable. Plus, with difficult problems comes the issue of having to remember the password each time account access is required. And because the rules of making strong passwords are somewhat predictable, hackers are now able to use better machine-generated combinations knowing the science of creating strong passwords.

There are many other reasons why passwords are not good enough anymore. Most of them boil down to the fact that passwords have become easier to steal and harder to protect.

What are the Advantages of 2FA?

The advantages of 2FA are given below:

  • Reduction in costs related to customer support.
  • Increased customer satisfaction.
  • Enhanced productivity on the part of employees with multiple options to secure accounts.
  • Multiple options to choose the second information item from.
  • Marked improvement of account and access security when compared to plain old passwords.
  • Reduction in system breaches.
  • Decrease in the number of unauthorized access incidents.
  • Hardening against some forms of cyberattacks such as phishing.

What are The Disadvantages of 2FA?

  • Increased costs of maintaining a system that can support two-factor authentication.
  • Increased database management costs.
  • Dependency on third-party services that offer 2FA integration for various systems.
  • Increased difficulty in logging in for users.
  • More incidents of blocked accounts because of a lack of access to a second authentication method.
  • Authentication items can also be stolen/misplaced/damaged/made redundant.
  • A false sense of security may alter the behavior of users to be more careless about sharing information.
  • In case hackers are able to reconfigure two-factor authentication, users can get locked out of accounts and services permanently.

How does Two-Factor Authentication Work? What are the Types of 2FA?

Fundamentally, two-factor authentication makes use of two, in most cases unrelated, forms of authentication methods to authorize account access at any given time. The first factor is usually the password. And the second one is variable but usually comes down to a piece of information that the owner of the account personally possesses. Such items include phones and security keys.

This is important:

The combination of a security question and a password is generally not considered a two-factor authentication setup. That’s because knowing the password can more or less assist in guessing the security question. In the case of two-factor authentication, the two pieces of information required are totally different and unrelated.

Knowledge Factor

Knowledge factors form the most commonly used authentication credentials. The term encompasses all information items that are usually hidden. Knowledge factors require the user to demonstrate awareness of the said hidden information. Such factors can include anything the owner of an account knows. Examples include passwords, PINS, and security questions (the street you grew up on, mother’s maiden name etc.).

Possession Factor

The Possession factor refers to a piece of information that the owner of an account or service has possession of. Mostly possession factors come in the form of physical objects or software-based tokens. Examples include OTPs, security keys and SMS codes.

Inherence Factor

Inherence factors are authentication information items that are totally unique to the owner of the account. Since inherence factors are unique, they represent the strongest authentication factors currently available. Examples include biometric information such as Iris scans, fingerprints, and facial recognition.

Location Factor

Location factors refer to the location from where a particular authentication attempt takes place. Restricting authentication to a few devices in one or two locations increases security. If an account has been registered in one country but the login attempt is made from another country, then the 2FA will step in and block account access. Location factors are mostly dependent on the IP address of the user.

What Are The Most Common 2FA Methods?

The most common 2-factor authentication methods include SMS-based codes, TOTP authenticator apps, notification push-based codes, physical security key-based authentication, and backup codes.

SMS Text-Message and Voice-based 2FA

The most popular way to implement 2FA is to receive a text message once a password has been provided for account access. During the registration process, a phone number is asked for. The function of the phone number is to act as the 2FA in the future. Depending on the service, the SMS code may be sent via text or automated voice call.

An image featuring multi factor authentication concept

Although there are other types of two-factor authentication used by organizations and individuals, the text-message-based one is the most common. Essentially, users input a password to a given account which generates a prompt to input another code sent via SMS to the user’s registered mobile device. The code is for one-time use only.

Software Tokens for 2-Factor Authentication

Software tokens are produced via an authenticator application (also known as 2FA apps). The user has to install an app on a mobile device or desktop computer. Once the user inputs a password, the account requires a one-time password generated via the authenticator app for complete access. Similar to text codes, the function of the software token is to act as an additional piece of credential not based on any network connection.


When an account is configured for OTP as the second authentication method, providing the password further requires a one-time password. The OTP is generated randomly with the help of an app. And the account’s owner has to copy/paste/type the OTP via a smartphone app. Sometimes the term OTP is also written as a software token.

Hardware Tokens for 2FA

As the term suggests, hardware tokens for 2FA make use of a physical authenticator device. The device comes in the form of a U2F security key. An example would be the user offering a password to access an account and then inserting the special USB key into the computer to complete the login attempt. Functionally, hardware tokens provide a convenient online and the most secure 2FA credential.

FIDO Universal Factor or U2F is the third most common type of 2FA. This authentication method makes use of NFC or special USB devices that act as security keys. The physical security keys take advantage of public key cryptography techniques to enhance account security. Users first have to buy a U2F security key that supports the FIDO authentication standard and then pairs the key with the account that needs more protection. The security key would then generate a public/private pair of keys. The service protected by 2FA will receive the public key while the user will have to provide the private key in the form of a physical key plugged into a new computer during a login attempt.

Push Notification for 2FA

Popular services like Google and Apple show users a prompt when a login attempt is made. There is no requirement for a software one-time token. An example would be the user logging into a service and then confirming the login attempt on a registered device. The function of push notification is to alert the user of a login attempt while relaying location information. The user may approve or deny the attempt.

Other Forms of Two-Factor Authentication

Some services apply two-factor authentication by requiring the user to input a code sent to a registered email address once the password is provided. The most popular example of this system is Steam. The function of the email address is to receive the OTP code and keep the code in an easily accessible place.

An image featuring a laptop that requires a security key and a mobile phone which has it representing two factor authentication concept

Recovery code is another form of two-factor authentication. This method usually comes into play when the user loses access to another two-factor authentication method. An example would be if the user has forgotten a password to an account and does not have internet access on another device for an OTP code. The main function of the recovery codes is to provide the user with an offline (and backup) method to authenticate account access.

Why is Two-Factor Authentication Important?

Two-factor authentication is important to double-check any login request and make sure that only authorized individuals are able to access sensitive information. Confirming a successful login attempt by providing a separate unrelated credential makes authentication processes more secure. With more and more sensitive tasks being completed online, 2-factor authentication plays the essential role of enhancing cybersecurity and neutralizing common risks inherent in password-based authentication.

What Threats Does 2FA Address?

Among the many types of threats 2FA addresses, the most prominent ones include brute-force password-based attacks, social engineering attempts, and all forms of phishing attacks. Any situation where stolen credentials can be used to cause harm can benefit from proper 2-factor authentication implementation. With 2-factor authentication, the problem of users picking weak passwords for account authentication is partially solved.

Stolen Passwords

Under normal circumstances, a malicious actor stealing a target individual’s password to an account essentially comprises all sensitive information accessible via the account. But with proper two-factor authentication implemented, even if the hacker provides the correct password, the account will require the second authentication credential. That second information item is only available, most commonly, via the user’s mobile device or registered email address. The function of two-factor authentication here is to act as a barrier between a stolen password and account access.

Phishing Attempts

Phishing attempts involve hackers going through an elaborate cyberattack campaign in order to trick employees of a company (though individuals are vulnerable as well) to share confidential information and assets. With 2-factor authentication, employees can secure email addresses, personal and business. In such a scenario, even if the employee is tricked into giving up credentials, the 2 factor authentication will stop any access to sensitive material. The to-be compromised account will require a code only available at the phone number of the employee. Without the code, no access to sensitive information will be possible.

An image featuring phishing concept

Social Engineering

Social engineering involves hackers exploiting security vulnerabilities and loopholes present in most digital platforms. The digital platforms in question usually belong to big organizations and financial institutions. Once compromised, hackers can extract sensitive data and use the information to launch further malicious hacking campaigns.

Companies, individuals, and critical institutions can protect against social engineering by enabling two-factor authentication. 2 FA protects against data breaches and eliminates common frauds by requiring an additional authentication item such as one-time code. With 2FA businesses have a better chance of detecting fraudulent activities and taking action before assets are damaged and/or stolen.

Brute-Force Attacks

Brute-force attacks use computing resources and traditional hacking techniques to guess login information via a trial and based method. If services and accounts are not protected via 2FA brute force attacks can find encryption keys as well as hidden information on web pages. An example would be hackers trying out all combinations of passwords for a target account. Given enough time and resources, the password can be guessed.

With correct 2-factor authentication implementation, if even hackers guess the right password, the administrator can require an additional piece of information for account access. With help from other techniques such as intrusion detection systems specifically made for brute force attacks, 2 FA can put a stop to brute force attacks. If only an additional login attempt with a pre-selected second-factor grants access to the account, the correct password isn’t of much help. Examples of 2FA in this case include biometric Iris or fingerprint scan and USB security key.

Key Logging

Keyloggers are devices that can monitor, record, and share user activities (such as the keys being pressed in a given session) while remaining in stealth mode. Hackers routinely use software and hardware-based keyloggers to track the keys pressed. After capturing the data, hackers can steal financial and other sensitive information.

An image featuring a person that has his finger on his keyboard with red mark representing keylogger spyware concept
An example of keylogging is when the user clicks on a malicious link, downloads a malware-infected file, and unknowingly installs a keylogger on the given device. That’s the entry point for hackers to start recording keystrokes.

2-factor authentication can help against keyloggers by adding an extra layer of security. Only after clearing the additional hurdle will the device grant access to critical functions. For example, if the owner of the device or an account has enabled 2FA via a tablet or smartphone, then the hacker will not only need the information gleaned via the keylogger but also access to the smartphone. Keyloggers do not work well with one-time passwords that are generated by authenticator apps or SMS-based authentication.

Damien Mather Damien is a cybersecurity professional and online privacy advocate with a bachelor of Computer Science. He has been in the industry for 20+ years and has seen the space evolve far bigger than he ever thought. When he is not buried in his research or going through code, he is probably out Surfing or Camping and enjoying the great outdoors.