What Is Two-Factor Authentication (2FA), How Does It Work, And Is It Secure?
Two-factor authentication is one of the best ways we can secure digital accounts. But what is it, how does it work, and is it secure?
By Joel WittsUpdated Nov 01, 2022
What Is Two-Factor Authentication (2FA)?
Two-factor authentication provides an extra layer of security to stop cybercriminals from gaining access to accounts—even if they have managed to hack the username and password through a phishing scam.
Traditionally, accounts require just one “factor” of verification: a password. But with 2FA, accounts require an additional method to prove the user genuinely is who they say they are.
A good way of thinking about 2FA is the ATM analogy. When you use an ATM, you have a physical card, and you have a PIN number. Without both of these factors, you can’t get access to your bank account. 2FA works much the same way: you need two authentication factors to gain access to digital accounts, making them much more secure.
There are three typical factors 2FA can use:
Something you know: Generally, the least secure method of 2FA, “something you know” can include a “secret answer” or a pin code that you have previously chosen
Something you have: A much stronger factor of authentication is “something you have”, which can include a registered device which is sent an SMS code, an authentication code from a dedicated application, or a physical key
Something you are: Arguably the strongest method of authentication, ‘“something you are” can include biometrics, like a fingerprint scan, iris scan, or voice recognition technology
If an attacker can get hold of a leaked password or stolen credentials, 2FA can block them from gaining access to a corporate account. It’s relatively easy for a cybercriminal to crack a password or leverage a database of already compromised passwords; it’s much harder for them to access a code on a locked device, and incredibly difficult for them to fake a fingerprint.
This means that 2FA can vastly improve account security and, in many cases, it’s very easy to implement, for both end users on personal accounts and for IT admins looking to deploy 2FA across an organization.
How Does 2FA Work and Is It Secure?
When 2FA is turned on, a second step is added to the authentication process, preventing accounts from being accessed with just a password. For the end user, this means they must verify their identity with a second form of authentication.
There are many ways that 2FA can work. Let’s take a look at some of the most common methods, and how secure they are:
SMS-based authentication: The most commonly used method of 2FA, this involves a text-message or notification being sent to a device, to confirm the login is genuine. The text message often includes a one-time code for the user to enter to authenticate their identity. This method is not the most secure form of 2FA, as sim cards can be cloned, but it is very easy for the end user.
Authentication apps: An increasingly popular method of 2FA, these are dedicated apps that, once downloaded to smartphones and tablets, provide randomly generated codes that enable access to connected applications. This is more secure than SMS-based authentication, as these codes can only be used on dedicated devices. However, they can still be breached if devices are hacked or remotely controlled.
Hardware tokens: A common method of 2FA in the enterprise, dedicated keycards or tokens can be used to authenticate user access on local devices. This method is highly secure, as it is unlikely that cybercriminals will be able to access hardware devices.
Biometrics: Arguably the most secure factor of authentication, many new laptops, tablets and smartphones have fingerprint or facial recognition software that mean you can authenticate access with just a glance, or a tap. But while biometrics are very secure, sometimes access can be overridden with the device passcode—which is often very easy to guess for cybercriminals— if they can gain access to the device itself.
Overall, 2FA is much more secure than just the use of a password, but the level of security it offers does depend on the method of authentication you use. Some analysts argue that hardware keys are the most secure method, while others believe that biometric controls—when properly implemented—are most effective.
SMS-codes are the most commonly used method of 2FA and, while mobile devices can be breached, it is still better to have an extra method of authentication in place––even if it’s not the most secure one––than none at all.
Why Is 2FA Important—And Should Your Business Implement It?
You’ve probably heard a lot about 2FA recently, as companies are pushing two-factor authentication heavily for end users. This is because 2FA can greatly improve account security and stop some of the huge increases we’ve seen in account protection.
This isn’t just true for consumer accounts, but for corporate accounts, too. Microsoft has recently been encouraging users to implement 2FA, as they released stats in 2020 which showed that 99.9% of Microsoft accounts that were breached by cybercriminals did not have any kind of two-step verification in place.
However, there are some indications that 2FA is not being as widely adopted as security professionals would like. Recent statistics released by Twitter showed that only 2.3% of their users had implemented 2FA for account access, a staggeringly low percentage.
And corporate accounts fare little better. Despite the clear benefits of 2FA, there has only been an 11% adoption rate of multi-factor authentication (a type of 2FA which supports two or more authentication factors) among enterprise accounts.
Expert Insights highly recommends that all users implement 2FA on accounts, and that all admins enforce 2FA on their corporate accounts, where they can do so. As we’ve seen, MFA can prevent 99.9% of account-based attacks, as well as enable organizations to demonstrate compliance and mitigate against the risks associated with home working. You can read our full article covering why businesses should implement MFA here.
How Can You Implement 2FA?
There are a number of ways you can implement 2FA.
Most enterprise and consumer applications allow users to turn on 2FA manually, often in the settings menu. This allows users to choose their preferred method of authentication and is a quick and easy way to improve account security.
Many enterprise applications allow admins to turn on 2FA for all users from the admin dashboard. Office 365, for example, allows admins to set “Security Defaults”, which require users to authenticate with a second factor of authentication—including Microsoft’s “Authenticator” app, which enables easy access to Office 365 applications.
In O365, admins can also set “Conditional Access” policies, which govern when users should be prompted to give a second factor of authentication. These access policies can be found in the Azure Active Directory (Azure AD) in the Azure portal. Microsoft has a full guide to implementing 2FA here.
There are also a number of dedicated multi-factor authentication providers that allow admins to enforce multi-factor or two-factor authentication across all connected corporate applications. This has a number of security benefits: it enables admins to ensure all users are using 2FA, gives them more control over account security, and means they can track who has access to which accounts.
When used alongside a business password management solution, which gives admins and users the ability to easily store, secure and use much stronger passwords, 2FA can greatly improve the security of accounts, and vastly reduce the risk of account compromise.
Two-factor authentication is one of the most effective ways to increase the security of digital accounts, without requiring any complex deployments or costly security services. There are a number of reasons that implementing MFA is important for businesses. But the bottom line is that it can help to stop your accounts from being compromised—which can have devastating consequences, as we have recently seen with Colonial Pipeline.
Expert Insights highly recommends that organizations implement 2FA, and one of the best ways that this can be achieved is through the use of a dedicated multi-factor authentication solution. These services provide easy user authentication with centralized policy controls and reporting, which can vastly improve organization-wide security against account compromise and data breaches.
Joel Witts is the Content Director at Expert Insights, meaning he oversees articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel has conducted interviews with hundreds of industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.