What is 2FA?
Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security. It does this by forcing two methods or authentication factors, to verify your identity. These factors can include something you know — like a username and password — plus something you have — like a smartphone app — to approve authentication requests.
2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
Why is 2FA Important?
Cybersecurity is like a game of whack-a-mole. As soon as you take steps to stop one type of attack, another pops up. Usernames and passwords were once good enough to keep an account secure. But before long, cybercriminals figured out how to get around this. Why would cybercriminals do this? Because there is lots and lots of money to be made by stealing data.
So why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication — if both are delivered over the same channel.
Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc. stored in applications.
By integrating two-factor authentication with your applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.
What are the types of 2FA?
There are a number of different second factors that can be used to verify a user’s identity. From passcodes to biometrics, the available options address a range of use cases and protection levels.
SMS 2FA
SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to which they’re authenticating.
Pros
- Simplicity. SMS 2FA simply sends a confirmation code to a user’s mobile phone. Just enter the code and gain access to your information.
- Speed and access. If suspicious activity occurs, SMS 2FA sends a one-time password (OTP) to a user’s device, so only the user with that device can log in and verify that their account hasn’t been compromised. SMS 2FA is a quick way to validate the identity of a user.
- Ubiquitousness. SMS 2FA is the oldest form of two factor authentication, so it has become a commonly accepted security protocol.
Cons
- Phone number requirements. SMS 2FA requires that users disclose their phone numbers to a third party (the 2FA provider). This makes some people uncomfortable because it raises concerns around privacy, personal security, and being targeted for advertising.
- Data network requirements. SMS 2FA requires a phone that can receive SMS messages. If a user’s phone is missing or damaged, or if they cannot access their network, they may not be able to receive their security code.
- Costs of sending SMS. You will need an SMS gateway to send SMS messages. Telecommunication companies in Australia still charge for each SMS that is sent, so your costs will add up. message
TOTP 2FA
The Time-Based One Time Password (TOTP) 2FA method generates a key locally on the device a user is attempting to access. The security key is generally a QR code that the user scans with their mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes generated by authenticators expire after a certain period of time, and a new one will be generated the next time a user logs in to an account. TOTP is part of the Open Authentication (OAUTH) security architecture.
Pros
- Flexibility. This type of 2FA hinges on a QR code which generates a unique passcode. Once they have this code, a user can use it across multiple devices. By contrast, SMS 2FA is restricted to the device that receives the message. TOTP 2FA is more flexible and gives the user a wider ability to access their information.
- Improved Access. Mobile authenticators are able to remember which accounts a user is trying to access — so the user can access their passcode at any time, even if they are not on a cellular or wifi network.
Cons
- Reliance on devices. TOTP 2FA requires the user to have a device capable of reading the QR code to verify their identity. If the user misplaces their device or the QR code, or if it’s stolen, they will no longer be able to access their information.
Push-Based 2FA
Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security, while improving ease of use for end users. Push-based 2FA confirms a user’s identity with multiple factors of authentication that other methods cannot. Duo Security is the leading provider of push-based 2FA.
Pros
- Phishing security. Other types of two factor authentication are susceptible to phishing attacks, but push-based 2FA combats that vulnerability by replacing access codes with push notifications. When they attempt to access their information, a push notification is sent to the user’s phone. The notification includes information about the login attempt, such as location, time, IP address, and more. The user simply confirms that the information is correct and uses their phone to accept the authentication request.
- Ease of use. Once set up, push-based 2FA streamlines the authentication process. If the information sent through the push notification is correct, the user simply accepts the login attempt through their mobile device and is able to access their account.
- Scalable. Push-based 2FA can easily be scaled for organizations needing to secure multiple users. The ease of use allows teams to onboard the software and train teams on how to use it efficiently. Since every access attempt is confirmed with a mobile device, there are no SMS codes to enter or QR codes to save.
Cons
- Reliance on data access. Push-based 2FA sends its notifications through data networks like cellular or wifi networks. The user must have data access on their mobile device to use the 2FA functionality.
- Reliance on user knowledge. Push-based 2FA fights phishing by allowing the user to validate the location and other details associated with the login attempt. Security breaches may occur in cases when the user doesn’t pay attention to or correctly read information like the IP address and login location.
WebAuthn
Created by the FIDO (Fast IDentity Online) Alliance and W3C, the Web Authentication API is a specification that enables strong, public key cryptography registration and authentication. WebAuthn (Web Authentication API) allows third parties like Duo to tap into built-in capabilities on laptops, smartphones, and browsers, letting users authenticate quickly and with the tools they already have at their fingertips.
Pros
- Convenience. All you need is a supported web browser, operating system and authentication method — such a biometric indicator, a security key (such as a Yubikey), or a system-local PIN — for phishproof access.
- More secure. WebAuthn is one of the more secure 2FA methods available today. It allows web applications to trust a strong biometric authentication as a credential that is specific only to that service — which means no more shared passwords. We now have a secure means to generate, store and utilize a credential whose attributes are unknown to the user and thus can’t be stolen and exploited.
Cons
- Complex account recovery. In the modern workplace, work doesn’t stop when a security issue arises. Perhaps an employee loses their phone, or someone reports an unauthorized access attempt. Security measures help control these threats, but employees are expected to be back up and running and working as normal shortly after the incident. Many 2FA solutions make this relatively easy — a systems administrator can help with account recovery. A WebAuthn credential, however, is strongly tied to a specific individual device, making account restoration more difficult. For that reason, it’s still recommended that users have another out-of-band form of authentication to fall back on, should they lose access to their WebAuthn authenticator.