What Is Two-Factor Authentication (2FA)?
Hardly a day goes by without a high-profile data breach hitting the headlines. In fact, there were an eye-watering 5,250 confirmed data breaches in 2021 and hundreds of millions of individual victims[1]. And for the targets of these cyberattacks, the impact is far greater than a temporary panic. When cybercriminals compromise consumer accounts, they can go on unauthorised spending sprees or commit online identity fraud. And for companies, data breaches can cause irreparable harm in the form of severe financial and reputational losses.
Most of these breaches are caused by stolen or weak credentials (username and password combinations)[2]. Luckily, there is a simple solution to this problem. Companies can strengthen their online account security by adding an extra layer of protection called two-factor authentication. But what exactly is 2FA, and how does it work? Let's get into it.
What Exactly Is Two-Factor Authentication (2FA)?
Two-factor authentication is a type of multi-factor authentication (MFA) that requires two authentication methods to verify a user. With cybercrime on the rise, experts quickly realised that the single-factor authentication (SFA) that we've been using for decades simply wasn't enough. SFA is typically a password - a string of letters and numbers only you know.
However, while still very popular, passwords come with several significant security flaws. For example, a study by Google found that 65% of people reuse passwords across multiple sites. Whatsmore, another survey found that a whopping 91% of respondents said they understand the risk of reusing passwords, yet nearly 60% do it anyway[3]. Password reuse is great for cybercriminals because it means they can potentially access all of your accounts, not just the one they originally hacked.
And this is where 2FA comes in. With an extra layer of security, cybercriminals find themselves locked out of your accounts even if they have the correct username and password combination.
How 2FA Works
2FA uses a combination of the following:
- Something you know (Knowledge): This is the most commonly used form of authentication and includes passwords, PINs, or security questions. By itself, knowledge isn't always enough to secure an account. We've already touched on password reuse, but other risks exist too. For example, keylogging malware can eavesdrop on you as you type your password. Additionally, the answer to a security question like "where were you born?" might be known to many people.
- Something you have (Possession): This method relies on verifying your identity with something you possess, like a phone, smart card, USB token, or RF ID badge. A typical example is receiving an SMS on your phone with a unique temporary code. Another example is hardware and software tokens that produce time-based, one-time passcodes.
- Something you are (Inherent): This is something integral to your identity and unique to you, like your fingerprint, facial features, voice pattern, iris patterns, and other forms of biometrics.
These are the most common authentication methods, but a fourth and fifth factor is increasingly coming into play in the security landscape - location and behaviour. Location authentication uses geolocation security checks to verify you're somewhere you're supposed to be. So, for example, an access request coming from an IP across the world would fail this check. Behaviour-based authentication can vary widely in complexity but typically involves analysing how a user interacts with a device, such as how you move your mouse across the screen, how fast you type, etc.
2FA Is the Way Forward
With cybercrime rising year on year, online account security has never been more critical. But unfortunately, far too many companies are still relying solely on passwords to protect their sensitive data. This has to change - now is the time to implement two-factor authentication.
[1] https://www.varonis.com/blog/data-breach-statistics
[2] https://www.kaspersky.com/resource-center/definitions/data-breach