Two Factor or Multi Factor Authentication


What is 2FA?

Two-factor authentication (2FA), also called multiple-factor (MFA) authentication, is a mechanism to double check that your identity is legitimate.

Authentication is based on independent credentials:

  • What the user knows (password, PIN, or pattern)
  • What the user has (security token, card, or phone)
  • What the user is (biometric like fingerprint or voice print)

Sometimes it also includes information like: location, time, and device info.

By combining 2 or more independent credentials a layered defense strategy is applied.  If a user's password is compromised then a second defense layer will make it difficult for an unauthorized person to access any 2FA account.  Typical 2FA accounts include: bank and financial accounts, email accounts, social media accounts or other targets prized by hackers.

Why is 2FA needed?

Traditional single authentication uses a password but passwords are not infallible.  According to a 2015 Entrepreneur article titled "Password Statistics: The Bad, the Worse, and the Ugly":

  • 90% of employee passwords are cracked in 6 hours.
  • 65% use same password everywhere - like car, bike, and house using same key.
  • 47% maintain a password spreadsheet.
  • 27% keep passwords on paper.
  • 38% of knowledge workers share access to web apps & services.
  • 18% of employees share their passwords with others.

Also, it is extremely difficult for users to maintain:

  • Unique passwords for a multitude of accounts.
  • Long and complex passwords for each account

Often users set web site options to "Keep me logged in" this stores cookies for those sites on the local computer. Meaning a hacker can harvest those cookies then impersonate the valid user on those sites.

How does 2FA work?

2FA is not new.  Starting in the 80's with a hardware token, 2FA evolved and in 2011 Google offered 2FA through an SMS code to online users.   Of course, more technological improvements are coming.    You might recognize some of these 2FA scenarios:

  • Swiping card and entering pin
  • Logging into website then being required to enter an additional one-time password that is sent to you from the website usually to your phone or email. (SMS or IP 2FA)
  • Using a downloaded VPN client with valid digital certificate and logging into VPN before being granted access.
  • Swiping a card, scanning a fingerprint and answering a security question
  • Attaching a USB hardware token to a computer that generates a one-time passcode and using the one-time passcode to log into a VPN client
  • Using biometrics - fingerprint or retinal scans.

Technology to the rescue! 

2FA and MFA solutions augment human efforts in the fight on cybercrime.  In the future, expect 2FA to be true MFA: something you know (password, PIN, or pattern), something you have (security card, token, or phone), and something you are (voice, fingerprint).

For additional information on two factor authentication or multifactor authentication please peruse the following articles:

WeLiveSecurity (ESET). No more pointless password requirements. Peter Stancik. 3 May 2017.

TechTarget. Multifactor Authentication (MFA). Margaret Rouse. March 2015.

CNET. Two-factor authentication: What you need to know (FAQ). Seth Rosenblatt and Jason Cipriani. 15 June 2015

Business 2 Community. Multi-Factor Authentication Terms and Factor Types – MFA 101, Part 1. Samuel Carter. 25 May 2017.

Heimdal Security. Why You Should Start Using Two-Factor Authentication Now. Cristina Chipurici. 20 January 2016.

Entrepreneur. Password Statistics: The Bad, the Worse and the Ugly (infographic). Carly Okyle. 3 June 2015.


Click here to go back to Effective Practices.