Two-factor authentication (2FA) explained: How it works and how to enable it (2024)

Two-factor authentication (2FA) goes beyond passwords to add a second layer of security to the authentication process. Organizations and users alike can better secure their data by making the shift to 2FA.

Credit: DCDP / KrulUA / Getty Images

What is 2FA?

Two-factor authentication (2FA) is a securityaccess method that requires users to provide two forms of identification (aka factors), typically a password in conjunction with a second factor such as a physical token, code generated by an app on the user’s phone, or a fingerprint.

2FA’s primary objective is to provide a second layer for protecting access to systems and accounts by making it more challenging to bypass security controls. By moving beyond the password, 2FA requires users to prove their identity some other way to gain access, typically supplementing something they know (e.g., a password) with something they have (e.g., a security token) or something they are (e.g., biometrics).

As passwords have become increasingly less secure, whether through data breaches or poor user practices, more and more individuals, organizations, and service providers are moving to 2FA to better secure their data and systems.

Why use two-factor authentication?

Widespread data breaches have resulted in more than 20 billion email address/password pairs available through cybercriminal markets, including thedark web, making passwords less secure as a means of authentication than ever. Moreover, most people reuse passwords across multiple accounts, enabling hackers to plug in known email address/password pairs into dozens of sites to see which might provide access. Google’s 2023 Threat Horizons Report found that 86% of breaches involved stolen credentials, and Verizon’s2024 Data Breach Investigations Report attributed more than two-thirds of breaches (68%) to “the human element,” including weak passwords and poor end-user education around accessing accounts.

Many sites use so-called“security questions”or“knowledge-based authentication”— “What’s your mother’s maiden name?” or “What city were you born in?” — as a backup to passwords. Such questions are often posed over and above a password if a user is logging into a site from a new computer or new network connection, for instance. Still, there are weaknesses here: For instance, with so much personal information publicly available for those who know where to look, a determined hacker could probablyfigure out the answers to these questions for a compromised accounts, orbypass them via social engineering attacks. More importantly, they don’t represent a true second security factor, and therefore can’t provide the layered security of two-factor authentication.

Benefits of 2FA

As an access method, two-factor authentication provides a range of benefits, including:

• Improved security: 2FA significantly reduces the risk of unauthorized access by including a second factor for identification beyond just a password. This added layer provides added security in the event that a password gets into the wrong hands.
• Compliance: Due to widespread breaches, some industries, such as defense, law enforcement, and government, have instituted regulations requiring access controls beyond passwords, including 2FA, to access specific systems or entities. Other industries, such as finance and healthcare, have regulations around data security and privacy that require addressing password security practices.
• Extra protection versus phishing: According to CISA, more than 90% of cyberattacks begin with phishing. Two-factor authentication provides another layer of defense, should an employee fall prey to a phishing attempt, compromising their password credentials.
• Customer ease-of-mind: While 2FA does require an extra hoop for customers to jump through to access their accounts, having 2FA in place for your organization’s services may help ease customer’s concerns about the safety of their data or transactions.

How does two-factor authentication work?

To understand what 2FA entails, you first need to know what a“factor”is in security access terminology. A factor is a piece of information required for authenticating an identity. Broadly speaking, factors can be broken down into six categories:

• Knowledge: This type of factor involves something the user knows, such as a password or answer to a security question.
• Possession: To validate a user’s identity, a security system can make use of something the user is expected to possess, such as a specific phone number or security token.
• Inherence: Biometrics, such as a fingerprint or facial recognition, can be used to authenticate a user based on something inherent to their identity.
• Behavior: This type of factor makes use of identifying features in behaviors specific to a user, such as voice recognition.
• Location: Geographic locations can also be used to authenticate a user, for example, through GPS or IP geolocation.
• Time: Time can also be involved as a factor, most often in conjunction with one of the above. For example, a one-time passcode (OTP) sent via text message to a device (possession) that has an authentication window of 5 minutes.

True 2FA pairs your first authentication factor — typically a password (i.e., knowledge) — with a second factor of an entirely different kind, such as:

• Something youhave (possession)
• Something youare (inherence)
• Something you do (behavior)
• Somewhereyou are (location)

Users will need to supply both factors to get access to their accounts.

On the back end, organizations deploying 2FA need to provide users with the requisite interfaces for providing both factors of identification, which can include integrating with SMS systems for sending OTPs to smartphones, making use of hardware biometic APIs on a laptop or handheld device, or development an app for smartphone platforms for second factor authentication, for example.

Organizations will also require an authentication server capable of verifying both factors employed. This server will also need to be integrated with the application or service that 2FA is meant to protect for allowing access.

Examples of authentication methods for 2FA

Given the myriad factors that can be used for 2FA, the range of possibilities for two-factor authentication is broad. Common methods include supplementing a password with one of the following:

• One-time password (OTP): With this method, single-instance codes generated at random are sent to a user — for example, via SMS or email — for single use to authenticate their identity through a possession factor.
• Biometrics: Fingerprint scanning is an example of using biometrics for authentication. Facial recognition via smartphone is becoming increasingly common practice for 2FA.
• Authentication apps: Use of applications that generate time- or event-based OTPs that users must enter during log-in are another common factor used for 2FA.
• Physical tokens: Hardware or physical tokens that generate one-time codes are another common factor. Such tokens are often USB-based or display-based. RSA SecurID is an example of this. Hardware-based 2FA is considered more secure than software-based versions, given the need for physical possessions of the token.
• Push notification: Some 2FA setups include a step whereby users are sent push notifications to a registered device from which they must approved or deny a login attempt.
• Location-based authentication: Checking whether a user is attempting access from a known location is another way to conduct 2FA. If the user is logging in from an unknown location, additional verification can be undertaken, such as a push notification or OTP.

Multi-factor authentication

Two-factor authentication is just a subset of the larger concept ofmulti-factor authentication (MFA),since in theory you could aggregate any number of required factors for authenticating users before giving granting them access to secured data.

How secure is 2FA really?

While 2FA provides an extra layer of security, it is no panacea. If ahacker breaks any link in the 2FA chain, your system can be compromised. And while 2FA can reduce the likelihood of phishing and social engineering attacks succeeding, phishing and social engineering remain hackers preferred methods for breaking 2FA.

Moreover, not all authentication methods are equally secure. For example, SMS-based two-factor authentication, among the most popular in use today, is still considered risky, according to the National Institute of Standards and Technology (NIST), as wireless carriers can be a weak link in the chain. SIM swapping, for example, is one method hackers use to intercept 2FA texts.

The assurance level of various factors commonly used for 2FA are as follows:

• Low-assurance factors: passwords; hardware OTP; SMS, voice, email OTPs
• Medium-assurance factors: physical token OTPs; push authenticators
• High-assurance factors: platform-based authenticators; biometrics

For more on these security issues and others, see “The trouble with 2FA.”

How do hackers typically attack 2FA?

Among the most popular and effective ways that hackers break 2FA are:

• SMS-based man-in-the-middle attacks
• Supply chain attacks
• Compromised MFA authentication workflow bypass
• Pass-the-cookie attacks
• Server-side forgeries

For more on these attacks and advice on how to get 2FA right, see “How to hack 2FA: 5 attack methods explained.”

Two-factor and multi-factor authentication vendors

If you’re looking to roll out 2FA or multi-factor authentication for your own corporate users, a number of vendors will be happy to help you. Among the most feature-rich and popular are:

• Cisco Secure Access by Duo
• IBM Security Verify
• LastPass MFA
• Microsoft Azure AD MFA
• Okta Adaptive MFA
• PingOne MFA
• RSA SecurID
• Yubico Yubikey

For a deeper look at these products, and advice on how to choose, see “8 top multi-factor authentication products and how to choose an MFA solution.”

How to enable 2FA as a user

As a consumer, enabling two-factor authentication for all your accounts can be a daunting process. The Verge has put together adetailed and frequently updated list of major service providers, including Apple and all the major social media sites, along with instructions on how to enable 2FA for your accounts there. We’re going to provide more specific resources for two major sites so you can get a sense of some of the issues involved with the process.

2FA for Google

Google refers to its two-factor authentication as “Two-Step Verification,” and walking through the steps on Google’slanding page for the servicewill get you started. Once you’ve set things up, Two-Step Verification will secure your Google account and all the services tied to it; when you log into your Google account, you’ll receive a code via text that you’ll need to enter as well, or you can order aTitan Security Keyif you prefer a physical security token. You can choose to disable 2FA for certain trusted computers, if you prefer; this will mean you don’t have to constantly deal with multiple security factors when you’re at home, for instance, but anyone logging in remotely will have to put in the extra work to prove they’re you.

2FA for Epic Games and Fortnite

Epic Games, creator of the wildly popular Fortnite game, also allows you to set up your account with two-factor authentication.Windows Central breaks down thereasons why this is one account in particular you’ll want to double-protect: a lot of scammers target the game’s younger players with tempting links that offer free Vbucks, Fortnite’s in-game currency. These are in factphishingscams that aim to harvest your login credentials and get access to your account (and whatever payment information you’ve saved to actually buy Vbucks). If you’re a parent of Fortnite-loving kids, you should probably add 2FA to your Epic Games account.