What is two-factor authentication?

Passwords aren't secure; it's time to add multi-factor authentication

With the threat landscape ever-changing, it’s essential to take measures both straightforward and sophisticated to safeguard your organisation. 

Cyber threats are widespread and are only becoming more prevalent for businesses. As many as 16.5 million Brits fell victim to cyber crime over the past year, costing organisations a staggering £1.4 billion. While there are high costs involved in implementing the proper security measures, the costs of doing nothing – through losses and penalties – so are many orders of magnitude greater.

Advertisement - Article continues below

One of the simplest, but most effective, steps that businesses and employees can take is implementing two-factor authentication (2FA). Password hygiene is essential to safeguarding your identity and personal data, with password reuse such a huge problem that cyber criminals are often able to reuse stolen credentials across multiple platforms. It’s certainly more convenient to remember one or two passwords, but repeating passwords on bank accounts, email addresses and social media sites, among other platforms, leaves individuals vulnerable to exploitation.  

Implementing 2FA can go some way towards adding an extra barrier of entry for both yourself, yes, but also any third-party attempting to access your account. While security questions seeking personal details like the name of your first family pet, or mother’s maiden name, may go some way towards shielding user accounts, they’re easy to establish, often by rummaging through social media accounts. 

Advertisement - Article continues below

Adding the second authentication factor, whether this is by delivering a code by text message or email, or using an authenticator app, adds a far more robust protective layer. While it may seem arduous to jump through this hoop time and time again, the benefits of having these hoops in place are untold.

What is two-factor authentication?

Also known as multi-factor authentication or two-step verification, two-factor authentication is a fairly straightforward process of confirming your identity twice before access is granted to an account or service.

Advertisement - Article continues below

Broadly speaking, authentication falls into three categories: knowledge factors, possession factors and inherent factors. Knowledge normally means something the person has to remember, like a PIN or password, while possession means a secondary device, like a key fob, card reader or smartphone.

Inherent factors, on the other hand, use a person's unique attributes, which are typically biometrics like a fingerprint, iris or retina scanning, or voice recognition. This is less common in general life and business but can be seen in more high-security situations as the second or subsequent level of authentication.

Two-factor authentication uses two of these methods (or more in the case of multi-factor authentication) in order to verify the identity of the person attempting to access an account more thoroughly than a single factor can, with knowledge and possession factors being the most commonly used, leading to the mantra "something you know and something you have".

How does two-factor authentication work?

Two-factor authentication invariably uses a second device that acts as a buffer between a service and a login attempt. This can be anything from a number-generating key fob to a smartphone, with the idea being that only the owner of the associated device is able to provide the additional information needed to sign in.

Two-factor authentication is an option for a wide range of services today, whether it be Google or Microsoft accounts, accessing your work's network or content management system, or confirming online purchases.

Advertisement - Article continues below
Advertisement - Article continues below

The additional security check normally appears after a user has inputted their username and password. A system will first validate that the account exists, and, if it's flagged for two-factor authentication, will then prompt the user to perform an additional action. This is done either through a third-party provider, such as Duo Security, or as part of a company's internal checks, such as Google.

The action that users need to perform as part of the additional check can vary between services. They may be required to press 'approve' on a push notification sent to their smartphone, use a random number generator, or input a unique PIN sent via text message.

For example, most banks now have dedicated tokens or random number generators as part of their mobile applications, which are required each time a user wants to access their account in full. Online payments firm PayPal now has a security check that sends a text message with a unique code to a user's smartphone whenever a payment is made.

Advertisement - Article continues below

If the additional action is performed correctly, you're then given access to the account. It can be the slowest part of signing into a service, however, it's an effective way of sifting out those trying to brute force their way into an account.

Is two-factor authentication safe?

Despite the benefits it offers, it's worth noting that multi-factor authentication is not 100% secure.

Authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person's mobile number.

Various account-recovery processes for lost passwords can be harnessed by hackers to work around two-factor authentication as well.

And sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of two-factor authentication use dedicated hardware tokens, which are difficult for hackers to spoof unless they steal one directly from someone. On the flip side, two-factor authentication reliant on SMS is probably best avoided if you are running an enterprise with a treasure trove of data.

Advertisement - Article continues below

While two-factor authentication may not be quite the security silver bullet it was once expected to be, it's still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers way, the less likely they are to target you.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

Linux kernel to strip out racially insensitive terms

13 Jul 2020