Two-factor authentication (2FA), also called multiple-factor or multiple-step verification, is an authentication mechanism to double-check that your identity is legitimate.
When you want to sign into your account, you are prompted to authenticate with a username and a password – that’s the first verification layer. Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.
Its purpose is to make attackers’ lives harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it more difficult for cybercriminals to breach your account. However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.

What are the Authentication Factors?
There are three main categories of authentication factors:
- Something that you know: This could be a password, a PIN code or answer to a secret question.
- Something that you have: This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.
- Something that you are: This is a biological factor, such as a face or voice recognition, fingerprint, DNA, handwriting or retina scan. However, some of these are quite expensive, so, unless you work in a top secret / Mission Impossible kind of facility, you probably don’t have this kind of authentication method implemented.
Time and location factors can also be used. Foro example, if you log into your account and someone tries to log in from a different country 10 minutes later, the system could automatically block them.
Why Should I Activate Two-Factor Authentication?
Passwords on their own aren’t as infallible as we need them to be. Cyber attackers have the power to test billions of passwords combinations in a second.
What’s even worse, 65% of people use the same password everywhere. That’s pretty much similar to having only one key for your house and your car.
Answers to security questions are also easy to find out, especially now that we are willingly sharing all the details about our lives on social networks and blogs. Anyone that interacts with us on a daily basis can find out the answers to common security questions, such as the graduation year, the city that you grew up in or our first pet’s name.
Even if you don’t give these out in your Facebook profile, some can be found through public records, available for anyone who cares to look. Others can be cracked simply by entering common names.
This is where two-factor authentication comes in handy. It will offer you an extra layer of protection, besides passwords. It’s hard for cyber criminals to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances to succeed.
Two-Factor Authentication is a Must-Have for:
- Online banking
- Online shopping (Amazon, PayPal – though it’s only available for a few countries)
- Email (Gmail, Yahoo, Outlook)
- Cloud storage accounts (Dropbox, Box, Sync)
- Accounts on social networks (Facebook, Twitter, Linkedin, Tumblr)
- Productivity apps (Evernote, Trello)
- Password managers (LastPass)
- Communication apps (Slack, Skype, MailChimp)
How to Get it Working
Because nowadays almost everybody has a mobile phone and carries it around, everywhere they go, it became one of the most popular methods for two-factor authentication.
In order to verify your identity, you can use a one time code that you receive on your mobile device through SMS, or you can generate it through a special mobile app.
SMS delivery has some big advantages, as well as disadvantages. On one hand, it’s easy to configure and you don’t need a smartphone to receive the codes via SMS. However, if you travel a lot, the delivery of the text message may be delayed. It won’t work at all if you are out of the network’s range.
This solution also depends on your phone’s security. An attacker may be able to clone the SIM card or redirect the traffic to a new number.
If you have multiple accounts where you activated two-factor authentication, you can skip receiving codes via SMS and instead use a mobile app to generate two-factor authentication codes.
Examples of 2FA Mobile Apps:
- Google Authenticator
- Authy
- Microsoft Authenticator
These apps use Time-Based One-Time Password (TOTP) algorithm. They will generate you a unique, time-sensitive six digits code, that you can use to sign in to your account. A code will typically work only for 30 seconds – after that, the app will generate you a new one.
After the initial set up, you can use the app without a network connection.
Accounts we Strongly Recommend 2FA For:
- Google/Gmail
- Facebook/LinkedIn/Instagram
- Dropbox
As all other security measures, multiple-factor verification methods are also vulnerable to attacks.
Their efficacy depends on many things, such as the chosen authentication method, the security of the channel that is used to deliver or submit the second-authentication factor.
Scenarios Where an Attacker Could Bypass 2FA:
- They could gain access to it. They could steal your phone, your card, your token. Text messages sent to your mobile phone can be intercepted.
- Through a Man-in-the-Middle attack. They could use a Trojan horse to manipulate the communication between you and your web browser and launch the attack against the 2FA.
- With real-time phishing. The attacker will ask for the one-time password and use it immediately.
Basic Password Security
Remember that two-factor authentication it’s not worth the extra effort unless you use it complementary to strong passwords.
- Use Strong Passwords: They should be at least 12 characters long, contain upper and lower cases, numbers and symbols.
- Use Unique Passwords: They should be different for every account of yours. Never recycle them.
- Change Your Passwords Regularly: And never write them down – not in a document that you saved in Cloud or on your Desktop, not in a mail draft, not on a handwritten note that you keep on the desk.
You can use a Password Manager – it’s a service that will encrypt you all the saved passwords. This way, you’ll only have to remember one password, the one for your password manager service account.
If you follow these steps, together with some basic computer security, you can drastically reduce the chances of an attack.
Other Challenges
Although it first appeared 28 years ago, two-factor authentication started to be implemented only recently and it’s not universally available (yet).
One of its main challenges is that it’s still quite expensive for companies to implement it. They have to cover all the possible scenarios – different devices, different usage habits, from different locations. It’s hard to estimate a transaction volume and the expenses for sending passwords through text messages depend on the locations.
Companies also use the excuse that users consider multiple-factor authentication to be an inconvenience.
Except for the ones that are security savvy or they’ve experienced an unpleasant episode related to their cyber security, people aren’t eager to jump in the two-factor authentication wagon. They don’t understand its importance and consider that performing the additional steps to turn on the two-factor authentication is not an easy thing to do.
As data breach cases become increasingly common, it will also be critical for companies to implement extra security layers, and for users to start embracing them. Even more, two-factor authentication should be mandatory and activated by default, right from the moment when a user wants to register.
Conclusion
Having a password and an extra factor authentication does not make your account 100% secure. It’s not a magic wand, that will make your account unhackable. No, it only makes it more difficult to breach.
Hopefully, an attacker will move on to another target, one that is less protected, rather than spend a lot of time on energy trying to breach your second-authentication factor.
But, as two-factor authentication methods will become more popular, new ways for attackers to crack them will also pop out. It’s just how the security game is played.