Security

Cheat sheet: Two-factor authentication

A password alone will not protect sensitive information from hackers--two-factor authentication is also necessary. Here's what security pros and users need to know about two-factor authentication.

It's nearly impossible to truly secure an online or mobile account with just a password. Data breaches, malware, device theft, and myriad other methods can be used to compromise digital passwords, no matter how secure they are.

Anyone with sensitive information protected by a password needs to have a second method of securing their account, hence two-factor authentication. There are various ways to protect accounts via two-factor authentication: biometrics, one-time passwords, verification codes, and other methods all add another layer of security.

Regardless of the method, one thing is for sure: Two-factor authentication is necessary no matter how inconvenient users think it is.

TechRepublic's two-factor authentication resource guide is an introduction to this essential element of cybersecurity. This guide will be updated periodically when there is new information to share about two-factor authentication.

SEE: All of TechRepublic's smart person's guides

Executive summary

  • What is two-factor authentication? This authentication method supplements passwords to provide an online account with a second layer of security; it does not replace passwords. Two-factor authentication is available for Apple ID, Google, Facebook, and Twitter accounts, and other services.
  • How does two-factor authentication work? There are a variety of two-factor authentication methods available, all of which have the same end goal: providing a way of proving a login is legitimate that's completely separate from the password.
  • Why does two-factor authentication matter? Most everything we do on a computer or mobile device is exposed to the internet, and that means those accounts can be compromised. Adding two-factor authentication to an account makes it harder for a stolen password to be used against you.
  • How safe is two-factor authentication? Nothing is completely secure, and that includes two-factor authentication. Two-factor systems have been hacked in the past, but the biggest risk isn't technological—it's social engineering, which can bypass even the most secure of systems.
  • How do I start using two-factor authentication? Businesses can standardize two-factor authentication by subscribing to a service that provides it. Home users can enable two-factor authentication on their accounts by checking to see if a particular website offers the service.

SEE: Security awareness and training policy (Tech Pro Research)

What is two-factor authentication?

Two-factor authentication is a supplement to a digital password that, when used properly, makes it harder for a cybercriminal to access a compromised account. Two-factor authentication is also referred to as 2FA, two-step verification, and two-step authentication.

Two-factor authentication is not to be confused with multi-factor authentication (MFA), of which 2FA is a subset. MFA refers to any kind of system that relies on more than one method of identification to verify you're the appropriate person to be using the account. If, for example, you use a password, one-time code, and then a fingerprint to log into a system, you're using MFA but not 2FA because you're using three distinct items.

Additional resources

How does two-factor authentication work?

Two-factor authentication requires, along with a password, a second form of identity verification. After successfully logging in to an account with a password, the user is prompted to either confirm their identity using a one-button push with a verification app or input a random security code from a text, email, or physical key.

The second factor is, ideally, harder to spoof than a password; it requires something the legitimate user has physical access to, like a smartphone or a security key, which leaves a hacker stuck even if they have the correct password to the account. Two-factor authentication is available for Apple ID, Google, Facebook, and Twitter accounts, bank websites, and other services—it's often as simple as enabling the option.

If your business is looking for a two-factor authentication provider, there are a lot of options. Once you select a 2FA provider, users can expect to use biometrics (like Touch ID and Face ID), authenticator apps, SMS authentication, email authentication, or a physical security key to authenticate an account.

Each method has its pros and cons, and two-factor authentication shouldn't be relied on to be the end-all, be-all of account security. Each of those methods can be cracked by someone with enough knowledge or drive.

SMS and email authentication, easily the most ubiquitous, are also the most easily cracked. Text messages aren't secure and can be intercepted, and email accounts can be hacked. Biometrics can be fooled, and the methods of authenticating them can be hacked as well. Apps can be a problem when migrating to a new mobile device, and physical security keys can be lost.

Regardless, two-factor authentication is very low effort for a lot of added security. Sure, it isn't 100% foolproof, but nothing is.

Also, it can be annoying to have to wait for Google, or any other service provider, to text you a verification code as text or QR, but it's essential to protecting your account. That code is an example of two-factor authentication in action: Your password is the first factor, and the code sent to your phone is the second. Now, if your Gmail password is stolen and a hacker tries to log into your account, two-factor authentication would block that person because the code is sent right to your device, notifying you that someone just tried to log in and they have your password.

Additional resources

Why does two-factor authentication matter?

Two-factor authentication matters to everyone—in particular, security professionals and anyone who uses digital passwords.

If it's in an account on the internet, it's safe to assume that it's fair game for hackers to try gaining access to it. A password is usually only a stumbling block to getting ahold of your business or personal information.

It seems like we've hardly gone a week without news of a massive data breach affecting millions of people. The information that's stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to accounts. If those users have two-factor authentication active on their accounts, they won't need to worry nearly as much.

To the individual user, two-factor authentication matters because it protects personal information like email, financial records, social media, and other sensitive information. Businesses need two-factor authentication to protect company secrets from being spilled out into the ether too, and they should be sure users, both internal and external, are using it.

Additional resources

How secure is two-factor authentication?

Anyone who has spent time online knows it's a bad idea to put all their security eggs in a single basket, and two-factor authentication is no exception.

As CNET reported several years ago, RSA's physical security tokens were hacked, so even systems you think are secure (like random number generators) can be exploited.

The biggest security hole in two-factor authentication, and the one most often exploited, is social engineering. An enterprising hacker doesn't need to try to crack two-factor authentication security when they can simply call a support line, pose as you, and get your password reset.

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

Software developer Grant Blakeman had that exact thing happen to him in 2014. An attacker who wanted access to his Instagram account managed to get his cell phone provider to forward his number to a different number. From there the attacker received a Google account two-factor authentication code, "which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account."

Blakeman had done everything right: He used a password manager to generate long, unique passwords for each account, used two-factor authentication on Google, and was generally fastidious in his online hygiene. But that didn't matter when a smart enough attacker wanted access.

So is two-factor authentication safe? In and of itself, yes. It's rare that two-factor authentication methods are cracked. The most exploitable weakness, yet again, is humans.

Additional resources

How do I start using two-factor authentication?

Using two-factor authentication on consumer services like Apple ID, Google, Facebook, Twitter, bank websites, and others is often as simple as turning the service on.

There are far too many sites using two-factor authentication to list them all here, so if you want to find out if a particular one uses it head over to Turn It On: The Ultimate Guide to Two-Factor Authentication (2FA). The free service, provided by TeleSign, contains a searchable list of sites that use two-factor authentication and instructions for how to activate it.

Businesses can choose from a variety of two-factor authentication providers, including OneLogin, Yubico, or Okta, which offer 2FA as a service that can be plugged into existing computer systems. There are a lot of providers to choose from, and finding the right one for your business will likely take some research.

The bottom line in two-factor authentication is that it's essential. Yes, the right combination of technical know-how and confidence scamming can crack even the most secure systems, but for the average user in the average situation, two-factor authentication can make all the difference.

Additional resources


security-authentication-istock-836539118-suebsiri.jpg
Image: Getty Images/iStockphoto, Suebsiri

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox