What is Two Factor Authentication

Passwords have long been used to secure online accounts. But have you ever wondered how long a hacker can crack your password?

Depending on the length and mix of numbers, upper case letters, lower case letters, and symbols that make up your password, a good hacker can get through your account instantly. With a complete mix of at least 10 characters, it may take years for your password to be broken.

Cybercrooks are getting better at their trade. They are always hungry for passwords. Passwords alone can no longer be a guarantee for online security. Many global companies, big and small, have been victims of cybercrimes that have cost them millions of dollars and loss of trust by their customers.

Take the case of some of the biggest data breaches in history. 

The Yahoo hack compromised three billion user accounts in two separate attacks in 2013 and 2014. MySpace, the once powerhouse social media site, experienced a leakage that resulted in the sale of 360 million of its user accounts on the dark web. 

Identity Protection - McAfee Total Protection

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

Add to that the 147.9 million victims of the Equifax breach in 2017.The eBay attack in 2014 is another disaster that exposed 145 million customer accounts.  

Even giants with sophisticated security systems are not invincible. What can small businesses and individual online accounts with just passwords to protect them do? 

An extra level of security is a clear and first option. This is the function of two-factor authentication, also known as 2FA.

So what exactly is two-factor authentication?

Two-factor authentication is a security mechanism in which individuals provide two authentication factors to log on to their account. Using a username and a password to log in to an account is in itself a 2FA. So is withdrawing cash from an ATM using your ATM card and a PIN. 

For more protection, you can add another level of security using a combination of your password and a one-time code or password (OTC/OTP) sent to your mobile phone or email. You can also opt to answer security questions or use biometrics, such as a fingerprint, voice print, fingerprint or retinal scan.

Businesses with highly critical applications and services may go further in their authentication processes by using a multi-factor system (MFA). This system involves not only two but three or more security layers to detect suspicious user behavior and prevent unauthorized access.

Types of authentication factors

Authentication factors are the ways by which you can validate your online account to be able to access it. When you log in to your account, you normally enter your username and password. Today, as hackers keep pace with advancing technology, passwords, even strong ones, are becoming more and more vulnerable to hacking.

Thanks to 2FA, you can better protect your account with any of the following authentication factors:

Possession factor

You can use something you own, such as a smartphone or laptop, to receive a one-time authentication code via SMS code or email. You can also use a bank/credit card to withdraw money from your bank account.

Other gadgets that can fulfill the function of 2FA are smartcards and physical security keys that you can connect to your computer, such as a USB or Bluetooth. But providing specialized security devices for your computers is cumbersome. That’s why the most practical gadget you can use for 2FA is the one that you carry around all the time — your smartphone.

Inherence factor

This involves something inherent or unique in your physical self. It may be your fingerprint, voice or retina.

The downside of this factor is that fingerprint readers and facial recognition software may not always work on all phones. Only high-end phones, such as smartphones, that have biometric scanner capabilities may benefit from this type of factor.

Time factor

This is a time-based authenticator that controls user logins based on time. It permits access within a specific time window and restricts it outside that window.

Location factor

Companies that need to protect sensitive data may use an authentication factor denoted by the location from which the authentication initiative is being made. It works by limiting authentication efforts to specific devices in specific locations. This may include the Internet Protocol (IP) address or geo-location of the devices. A good example of a geolocation authenticator is the Global Positioning System (GPS).

Knowledge factor

The knowledge factor or something you know is the most common authentication method. It may be a password, personal identification number (PIN) or answers to certain secret questions. You usually use a password when you want to access your online accounts or a PIN when you want to withdraw cash using your ATM card. 

Some expert opinions argue that two knowledge-based authentication factors don’t represent true 2FA because you’re just supporting something you know with another thing you also know. For example, using a password with an answer to a secret question is still considered a single-factor authentication (SFA) because they belong to the same category — knowledge.        

Real 2FA involves two or more types of authentication factors. Your first authentication factor is usually your password, which is a knowledge factor. To achieve 2FA, you need to pair your password with a non-knowledge-based factor, such as something you have, something you are or somewhere you are. To illustrate:

• 2FA = Password + Device + OTP
• 2FA = Password + Device + Biometrics
• 2FA = Password + Device + IP Address or geolocation
• 2FA = Password + USB or Bluetooth

How does 2FA work?

Here are the basic steps when logging in to your account or site in a 2FA environment:

1. You’re asked to enter your username and password or use biometrics, such as your fingerprint, voiceprint, or iris scan.
2. Once the site’s server finds your identity, the second step usually involves the use of something you have, such as a mobile phone, USB, or computer to view your OTP.
3. You’ll then key in the OTP sent via your mobile phone or email, or
4. In push-based authentication, you’ll get a prompt from your mobile device to confirm if you’re logging in to your account, or
5. Use your security key, such as a USB, NFC ( near-field communication device), or Bluetooth.
6. You’re now ready to access your account or the site.

Why is two-factor authentication so important?

Two-factor authentication is all about online security.

Usernames and passwords remain the most common forms of account authentication. While passwords provide some level of protection, they’re not foolproof. Hackers tend to revolve around weak passwords to gain access to online accounts. 

In December 2017, researchers from 4iQ discovered a massive breach involving more than 1.4 billion clear text credentials that were circulating on the dark web. Weak passwords and password reuse across people’s email, social media, work, banking, and e-commerce accounts were the main culprits of the breach.  

NordPass password manager | Zero password stress. Forever. | NordPass

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

People that get more comfortable doing almost everything online are likely to open more and more accounts. Many of them tend to have lousy memories so they use the same password in all their accounts. The common passwords used were:

You can see a pattern that any amateur hacker can easily crack. However, if additional authentication factors are put in place, the attacker would face one more obstacle. It’s important to make sure that the factors are independent from one another so that the compromise of one does not lead to the compromise of the others. That is, use something you have, something you know, something you are, or somewhere you are.

Being secure is daunting. But the bad guys are waiting for you to get lax in protecting yourself online. While it may take a little longer to log onto a new device with a 2FA system, it’s worth it to prevent theft of your private data, identity, and money.

Best authenticator apps

Authenticator apps provide better security than SMS codes because hackers can intercept the codes from your phone. Following are common apps that cover the major services most people use.

Google 2-Step Verification

This Google authenticator app allows you to set up a 2FA by using the inherent Android features in your phone rather than the authentication app. It’s more convenient since all you have to do is tap on your phone instead of entering a six-digit code. 

You can enter a password to access your account for almost any service. The app offers multiple options to enter the second step. If 2-Step Verification is on, Google Prompt will instruct you to tap on your phone to acknowledge you’re the one signing in.

You may also opt to receive a verification code sent to your phone via SMS, voice call, or by using the Google Authentication app, or any authenticator app. 

As an added feature, you can visit your Google account security settings where you can select the phone numbers that can receive codes. While there, you can also switch to another authentication app or access 10 codes that you can use if your phone dies or if you can’t get through the authentication.

Microsoft Authenticator app

The app is available for iOS and Android on a mobile phone or tablet. You can sign in to your account by using your username and password. After you sign in, you can choose the second factor you want to use, which may be a phone call, an authentication app or text.

If you choose the authentication app, you have two options. You may sign in with a notification from the Microsoft Authentication app or a verification code from the same app.

You can also use alternative methods to sign in including any of the following:

• Use verification from my mobile app
• Notify me on my mobile device
• Text me at (your mobile number)
• Call me at (your mobile number)
• Sign in and sign out with another account
• More information

LastPass Authenticator

LastPass Authenticator features one-tap push notifications that allow you to sign in to select sites with a click instead of a code. This function also works with other third-party sites including Amazon, Dropbox, Facebook, Google, and Evernote. 

The app can integrate with other sites that include LogMeIn Pro/Central, LogMeIn Rescue, GotoAssist, and Zively.

When a user logs in to a third-party site, the LastPass browser extension transmits a push notification to the user’s phone. This notification informs the user that a login is being requested. After the user taps Allow, the extension returns a confirmation message together with the 2FA code. The user enters the code to the login page and the user is logged in. 

Yahoo Account Key or 2-Step Verification

Look for the link to sign in on the upper-right hand corner of any Yahoo page. Go to Manage Accounts > Account Info and click on Account Security. The Two-Step Verification toggle will appear and immediately send your phone number and five-digit verification code.

If there’s a Yahoo app on your phone, the Yahoo Account Key will send a notification to it directly. You then push the confirmation button to log in without the use of codes or passwords. If you don’t have a Yahoo app on your mobile, Yahoo will send an eight-digit code via text or email.

After you’ve set up either the 2-Step Verification or Yahoo Account Key, you can generate a new unique password to access other Yahoo services with no direct support. 

WhatsApp Two-Step Verification

Setting up the verification app starts by going to Settings > Account > Two-Step Verification. Tap Enable to create a six-digit PIN to enable you to register your phone number and email. If you’ll later log out or sign in with a different device, WhatsApp will send a code via text and re-enter your PIN.

Instagram Two-Factor Authentication

Facebook owns Instagram. To set up the authentication app, go to your profile and click on the Hamburger menu on the top right. Go to Settings > Security and tap Two-Factor Authentication where you’re given two choices to get your authentication code:

1. Via Text Message – Open Text Message and register your phone number, including the country code. You’ll receive a confirmation code via SMS text message.
2. Authentication App – Since you can’t scan a QR (Quick Response) code with your mobile phone when you’re using it to access the app, the app will teach you the process to set it up.

The app also provides five recovery codes to get access to other devices or to turn off 2FA. You can take a screenshot of the codes or access them directly from the app.

Twitter Two-Factor Authentication

To activate the Twitter authentication app, click the More Menu on the left hand portion of your desktop screen. Select Settings & Privacy > Account > Security > Two Factor Authentication. You then choose to receive codes from your phone, authentication app or a physical security key.

In the authentication app, Twitter will generate backup codes that you can use when you lose a device. It also provides one-time temporary passwords at devices or services where you can’t get 2FA codes.

You can likewise use the Twitter app as your authentication app. Click the Login code generator to get a six-digit code that updates every 30 seconds.

LinkedIn Two-Step Verification

It’s relatively easy to activate or deactivate the LinkedIn Verification app. You can use SMS text or an authentication app. Start by going to Me Menu > Settings & Privacy > Account > Two- Step Verification.

The app will immediately provide you a six-digit code. You’re allowed to register only one phone number but you can go back here to get recovery codes to access the account without using your phone.

Twilio Authy

To set up the app, you’ll need to provide your phone number. Not many users are comfortable with this requirement. Some also fear that this arrangement may open up their phone credentials to Sim card swap fraud.

Authy’s redeeming feature is its encrypted cloud backup. But it may be risky to add the account to a new phone even with a PIN code sent via SMS or call. Users can choose a password or passphrase which the app uses to store info in the cloud. The password is known to only you. If you forget it, Authy won’t be able to recover the account.

Two-Factor authentication best practices

Strong passwords and PINs. Secure verification codes and devices. Multiple authentication factors. When combined with security, usability, and excellent user experience, these ingredients make up a solid two-factor authentication strategy.        

We’ve put together a list of common two-factor authentication best practices. Read on to find out what works best for you.

Craft the right mix of authentication factors

Our world is plagued by cyber threats and the attacks are becoming more intense and more frequent. Strong passwords alone can no longer guarantee full security for your personal information.

Security scientists have come up with additional layers of protection. SMS texting through mobile devices is the most familiar method people use after entering their password. Robocall is another option for busier people.

Your phone itself is an added security layer. That’s why it needs to be protected with a very strong password to repel attacks such as phishing. Once it’s compromised, the whole 2FA system is compromised.

The push notification technique is quicker and easier to use. It’s less vulnerable to phishing because it doesn’t need a passcode. Also, if the approximated location comes from an unusual area, your phone may alert you to take action.

Not all users are aware of a physical security key. It may be a USB or Bluetooth-connected key      you can insert to your computer instead of entering a code. This is a basic tool for people who work at cybersecurity companies and big social media companies, such as Google, Facebook and Twitter. 

These keys are relatively inexpensive and easy to install. Security experts recommend buying keys that are compliant with the FIDO2 (Fast Identity Online) standard, which mandates a higher level of authentication. You also need to make sure the key is compatible with your device.

Can two-factor authentication be hacked? It’s possible, but if you use the right combination of factors and devices and add extra layers, the odds are low.

Secure your devices, gadgets, and tools

The widely used way of accessing services is through digital devices. The Internet of Things makes possible the interconnectivity of all things, such as:

• Smartphones 
• Laptops 
• Personal digital assistants (PDAs) 
• Tablets 
• Wearables
• Smart home appliances
• Medical equipment
• Business, banking, and financial systems

While these devices need to be intelligent, adaptive, and responsive, they should be fully secured. The healthcare sector, for example, is a critical area where security and privacy are crucial requirements in the delivery of services. Due to the increasing escalation of cybercrimes and threats, experts have proposed three-factor or even multi-factor authentication schemes for healthcare systems.

Other groups that can be impacted by unsecured devices are banking and financial institutions, online shopping and e-commerce businesses, government entities, and social media companies.

Always offer two-factor authentication option

A dependable two-factor authentication system starts with no less than two options. Don’t be complacent with employees and customers because any compromised device or malware from any of them could infect your whole network.

Some argue that it may be overkill to offer 2FA if they don’t have highly sensitive information. But all personal information is considered sensitive information. Make the 2FA method part of company policy and get everybody on board.

Watch out for trends

Trends give us an idea of the general direction the market is taking during a specified period of time. While trends indicate what people like, you must be able to tell real trends from hype or fad.

As two-factor authentication becomes more popular, it’s likely that cybercrooks are likewise keeping pace. Cyber threats are increasing. Phishing and hacking are commonplace. But all these activities could create opportunities to refine your security technology.

What’s next after two-factor authentication?

It started with the good old usernames and passwords. Then came the passcodes, passphrases, TOTPs, OTPs, push notifications, security keys, and biometrics to build the two-factor authentication system.

Today, security experts are considering bringing biometrics to the next level. They call it behavioral biometrics. We already use biometrics to unlock our devices. Fingerprints, voiceprints, retinal scans, and facial recognition have all been around for some time. 

However, we’ve found out they’re not all foolproof. In some instances, it’s possible to deceive fingerprint sensors and facial recognition systems. Behavioral biometrics aims to further tighten security by observing how users perform and deliver authentication processes.  

For example, you may have an inherent pattern in typing your password. If a bad guy learns your password but enters it differently, they may have a hard time accessing your account. Behavioral biometrics may also analyze the way you walk, the way you hold and touch your device, or the way you move the mouse.

We’re hoping specialized sensors, radars and locators may be able to do the analysis for us.