What Is Two-Factor Authentication? A 2023 Guide to 2FA
Most online services use 2FA to protect users' online security. But you might be wondering, what is two-factor authentication, and how does it work? Find out the details in this guide.
Two-factor authentication (2FA for short) is now a key feature for most services on the internet. Although the tech is decades old — with implementations in credit cards and identity theft protection software — it’s only been in the last decade that online services, such as the best cloud storage providers, have started using 2FA widely.
It’s easy to see why, too. Two-factor authentication is simple enough for most people to understand, and it offers a massive boost to your online security. In this guide, we’re going to discuss what two-factor authentication is, how it works and why you should use it.
Although two-step verification is an essential part of keeping yourself safe online, it’s only a part. If you want to keep yourself safe on all fronts, make sure to read our guide on the best online backup services and the best encryption software.
Two-factor authentication works by requiring two pieces of information to log in to an online account. In most cases, you’ll need something you know — like your password — and something you own — like your mobile device — to access an online account with 2FA enabled.
No, 2FA isn’t hard to use. With wide adoption of major platforms and authentication apps like Authy and Google Authenticator, using 2FA often adds no more than a few seconds to your standard log in time.
Two-factor authentication is used to add an extra layer of security to your online accounts. Instead of relying on a single secret, like your password, two-factor authentication requires two pieces of secret information, like a password and a single-use code.
What Is Two-Factor Authentication (2FA)?
Two-factor authentication — or two-step verification, as some services refer to it — adds an extra level of security to your online accounts. Whenever you log in to a website, instead of using a single factor like your password, you’ll use two factors, like your password and single-use code sent to your email.
That means as long as you have 2FA enabled on your online account, an attacker won’t be able to access that account, even if they have your password.
For 2FA, the general idea is that you need to authenticate with both something you know and something you own. The thing you know is your password in nearly all cases, while the something you own could be a number of different things. It could be a code sent to your email or phone, or it could be some hardware device, such as the YubiKey.
There’s also multi-factor authentication (MFA), which ties in a number of different elements to give your login attempt an overall risk assessment (something we’ve seen with the best identity theft protection software). This holistic approach uses several factors to determine if a login attempt is legitimate or not.
Two-Factor Authentication vs Multi-Factor Authentication
The main difference between two-factor authentication and multi-factor authentication should be clear. While 2FA uses two factors, MFA uses three or more. Most online services have some form of 2FA, though very few have MFA. It’s more of a business-oriented security measure, offered through single sign-on services like OneLogin.
Outside of the number of authentication steps, the largest difference is the level of security between 2FA and MFA. For 2FA, you may use an authenticator app — we’ll talk more about those soon — or a verification code. MFA, on the other hand, usually involves a holistic approach to authentication.
For example, the authentication mechanism may detect if you’re using one of your trusted devices, or they may require a personal identification number (PIN) in addition to your password. However, the most common additional factor is location-based authentication. Using your IP address and other metadata, the MFA app can determine if you are who you say you are.
How Old Is 2FA?
It isn’t entirely clear how old 2FA is, but digital 2FA dates back to 1986. Then, RSA released a small key fob with a screen, which would show a code to authenticate a login attempt. Although this was commonplace in enterprise and government settings, it wasn’t until 2010 that companies started pushing 2FA for consumers.
Outside of the internet, security measures like requiring a zip code for credit card purchases or a PIN number when using an ATM are, in their own way, forms of two-factor authentication. The authentication method is different, but you’re still using two factors to prove you are who you say you are.
Although it’s unclear when 2FA started, it has only been widely adopted in the last few years. Now, every major social media platform has some form of 2FA, along with online marketplaces like Amazon and eBay. You can also secure accounts without native 2FA using an external app, which we’ll get to shortly.
Why You Need Two-Factor Authentication
The most obvious reason you need two-factor authentication is security. Having your username and password compromised through a data breach, a phishing email or some other attack is becoming increasingly common. Two-factor authentication is simply an extra layer of security that is simple, convenient and offers a massive boon to your online security.
That’s because 2FA distributes risk. Instead of relying on a sole secret, you’re relying on two — or more. The attacker may be able to access the authenticator app on your phone, or they may be able to compromise your password, but the likelihood of doing both is slim.
Although security measures are continually getting stronger, so are the cybercrime methods that hackers use. Criminals often either buy compromised databases on the dark web or use widespread attacks to compromise as many accounts as possible in a single go.
Even if you don’t do anything particularly risky on the internet, that doesn’t necessarily mean you’re safe (but we have a dedicated guide for the best VPN for the dark web in case you decide to).
Two-factor authentication can be very convenient, too, especially with an authenticator app. Instead of using an SMS authentication code every time you want to log in, you can simply approve a push notification with an authenticator app on your phone. It’s a simple step that, in most cases, adds no more than a few seconds to your login time. Those few seconds could save your account if your password is compromised.
The Dangers of Passwords
You should be using a password manager. Although we recommend 1Password most — read our 1Password review to learn why — there are plenty of free password managers available, such as LastPass (read our LastPass review). There are a few reasons why you should use one, but the biggest is that they let you set long, random passwords.
Passwords that you can remember are inherently weak. By using brute force methods — such as a dictionary attack — hackers can guess your password simply by running a program. That means any identifiable words, acronyms or number combinations are a bad sign.
The classic “password123” example shows that in action. It includes a full word — one available in the dictionary — and a short, identifiable string of numbers.
You want long, random passwords, fit with special characters and no recognizable pattern (we even have a generator that creates these passwords). However, that doesn’t fully protect you. Data breaches still happen, and as the 2012 Dropbox breach shows, they can still expose passwords, no matter how strong they are.
That’s where 2FA, or preferably MFA, comes into play. By using two or more factors, you’re spreading the risk between multiple points. An attacker may have access to your password, but as long as you have 2FA enabled, they won’t be able to use that password without having access to your second factor.
Is 2FA Vulnerable to Hackers?
The short answer is yes, 2FA is vulnerable to hackers. However, that’s assuming all forms of two-factor authentication are equal. There are more secure forms of 2FA that aren’t vulnerable to hackers or, at the very least, offer enough of a time deterrent to make it impractical for a hacker to actually take advantage of a vulnerability.
Let’s start with vulnerable routes. A good example of antiquated 2FA is email authentication. Although 2FA codes sent to your email are decreasing rapidly, they’re still present. The process works like this: you attempt to sign in to your account, and the website that holds that account sends you a verification email so you can confirm your identity.
Recent 2FA Studies & Statistics
A recent study from Google and Harris Poll found that 65 percent of participants reuse the same password on all or a significant portion of their accounts. If you reuse your password across accounts, then there isn’t much of a reason to use email 2FA at all. The attacker already has the key to all of your accounts, 2FA be damned.
It’s not just weak online security practices that puts 2FA at risk, though. In 2011, RSA was the victim of a large-scale attack against its SecureID tokens, marketed specifically as a secure form of 2FA. Account recovery features can also pose an issue, with some websites bypassing 2FA entirely when the attacker utilizes the account recovery feature.
These tactics are, thankfully, becoming less effective. As we’ll get to in the next section, authenticator apps take the risk out of using two online — and therefore, vulnerable — accounts to authenticate, and many services have started including account recovery tokens, which you need to bypass 2FA.
There are still risks for high-value targets, where hackers can launch an attack to intercept authentication tokens. However, tactics like this only work when they’re targeted, so you probably won’t run into them. Large-scale breaches like what RSA experienced and weak online security practices are the key problems 2FA faces.
How Does 2FA Work?
Two-factor authentication is simple in most cases. Many major websites — including all major social media platforms, Amazon, PayPal and more — have two-step verification built in. For example, Dropbox has text-based 2FA in your account settings, under the “security” tab.
For this type of authentication, the process is simple. When you attempt to log in to your account, that will trigger the 2FA mechanism, which will send you some sort of code (usually to your email or mobile phone). It could be time-based, meaning it’s only valid for a few minutes, but in most cases, you simply need to enter that code to unlock your account.
Two-factor authentication apps make the process even easier (read our best 2FA apps guide for more on that). Google Authenticator, Authy and LastPass Authenticator are all free apps that exclusively handle two-factor authentication. Even better, these apps are time-based, and you don’t need an account to use them.
As we discussed, email 2FA, in particular, is problematic. If you’re using the same password across multiple accounts and having verification codes sent to your email, then there’s really no point in having 2FA enabled at all. If the attacker has access to one account and you’re using the same password, they have access to them all.
That’s what makes authentication apps so helpful. The app is tied to your device, meaning the attacker doesn’t only need your password, but also physical access to whatever device you have the authenticator app on.
What Are Authentication Factors?
There are three main ways 2FA security systems authenticate you: by using something you know, something you own and/or something you are. These are authentication factors. Although everything boils down to one of the three, there are some differences within each factor.
Knowledge Authentication Factors
Your first factor is almost always something you know. Usually, it’s a password. Knowledge factors tend to be the strongest simply because they aren’t recorded anywhere. In the case of a strong password, the only place you might store them is in a password manager. As long as you’re using one of the best password managers, you don’t need to worry there.
However, not all knowledge factors are built equally. Security questions are a good example of a bad knowledge factor because, in a lot of cases, an attacker can figure out a security question either by guessing or digging around online.
A good knowledge factor is something you — and only you — know, such as a long, random password. It’s important to remember that attackers can perform a brute force attack, so you want to make sure your knowledge factor is completely unique. For example, a particular date is bad.
The most common additional factor you’ll encounter is a one-time password (OTP). That’s mainly because a lot of websites have OTP systems already in place. In addition to your regular password, you’ll need a single-use password that’s generated on the fly and sent to you. That could be through a push notification on your mobile device or an app, such as Google Authenticator.
As for time-based OTPs, or TOTPs, they only work for a set amount of time. For example, Steam Authenticator constantly generates a new six digit code for your Steam account every 30 seconds. This is by far the most common form of 2FA, but it’s not without faults. Man in the middle attacks can expose OTPs, though with time-restricted codes, that’s harder to do.
HOTP stands for HMAC-based one-time password. Instead of being time-based, these OTPs are event-based. Whenever you request an OTP, it’s generated using hash-based authentication codes (HMAC). The OTP stays active after you request it until you request another one.
In a digital setting, TOTP works better, and has become the standard for most authenticator apps. However, you may still find HOTP in hardware authentication devices.
U2F — now FIDO2 — was the easiest and most secure second factor for years (though biometrics are quickly replacing hardware tokens). U2F stands for Universal Second Factor, and as the name implies, it works with just about everything. You’ll see U2F in the form of a YubiKey, which is a small, USB drive-like device that stores a hardware token.
That hardware token is your universal second factor. The advantage in security is clear. By using a hardware token, you don’t run the risk of a time-restricted code being compromised by a man in the middle attack.
Additionally, devices like the YubiKey are origin binding, meaning they only work with the destination site. Even if you, say, fall victim to a phishing email, the device won’t let you complete login.
More services are starting to support hardware-based authentication, too. The list currently includes ProtonMail, Namecheap, Twitter, Reddit, YouTube, Squarespace, Keeper, Facebook, Dropbox, RSA SecurID and even macOS. Not every site supports U2F, but Yubico covers most of the bases, including support for password managers like Dashlane and Bitwarden (read our Dashlane review and Bitwarden review).
The problem with hardware authentication is price and convenience. Most dongles run around $30-$50, and they require you have the device on you at all times. Thankfully, software measures are getting closer, especially on mobile devices.
Biometric authentication was the stuff of science fiction a couple of decades back, but now, you’re likely unlocking your phone each day with some form of it. All things being equal, biometrics are the most secure way to authenticate since the factor is unique to you and only you. Plus, it’s convenient, with nearly all major smartphones including face and fingerprint identification.
However, recent white-hat efforts have shown that hackers can fake a fingerprint, and that they can do it in around 20 minutes. Worse, you can’t reset your fingerprint or face. If an attacker compromises one, you have to use something else entirely.
Then there’s the privacy concern, with big tech gathering hundreds — and eventually thousands — of fingerprint and face scans from every user. Even with those concerns, biometrics remain the most interesting authentication measure for the future.
Location, Behavior and More
Although you won’t see it with most consumer-facing 2FA apps, enterprise MFA often considers a number of authentication factors. That includes your location, usual device behavior, IP address, device ID, application version and more. Using all of this data, services like OneLogin can create a risk score and assess your login attempt based on that score.
Outside of the digital world, these factors mirror what most credit card companies do to assess fraud. Identity theft protection tools, such as Identity Guard, use similar measures to detect changes in your credit, accounts and more.
What’s Next for 2FA?
Two-factor authentication is already a staple feature with basically any online service. However, not all authentication systems are built equally. Man in the middle attacks can compromise OTPs received via text message or email, and hardware measures like the YubiKey are expensive and inconvenient.
Consistency is probably next on the docket, as websites move away from time-based codes toward other methods, such as using a push notification on your phone or authenticating with biometrics. These factors not only enhance the user experience, they also bypass some of the problems with OTPs.
Along with that, though, we expect to see more holistic consideration whenever websites approve a login. For example, social media platforms already scrap tons of information from your browser and store it (read our best VPN guide if you want to get around that). Might as well put that data to good use.
Overall, though, we’ll likely see wider adoption of U2F, as well as strides from mobile manufacturers to implement 2FA through the biometric measures most mobile devices already have. What do you think, though? Are you using 2FA? Let us know in the comments below and, as always, thanks for reading.