Two-factor authentication (2FA) is an identity verification methodology requiring a user to provide two distinct forms of authentication, such as a password and a one-time code.
2FA aims to introduce an additional layer of security to protect against unauthorized access in the case of a password breach. It is widely used to secure online accounts and apps, including cryptocurrency exchanges, wallets, and other Web3 dapps and services.
Most users will be familiar with the steps to pass a 2FA check. The types of information required for these steps are carefully chosen to minimize the chances of an attacker gaining access to both at the same time.
How 2FA works
2FA is one type of multi-factor authentication, which means any security system where more than one authentication factor is required. Authentication factors are categorized into different types. To qualify as a 2FA system, the identification steps should use two different types of authentication factors.
Knowledge factors
The first stage of a 2FA login usually requires a knowledge factor – something that the user knows. This could be a password or a PIN code.
Security questions, such as a mother’s maiden name or the name of a high school, also count as knowledge factors. Therefore, requiring a security question answer as well as a password does not count as a true 2FA system.
Possession factors
A possession factor is often used as the second stage of a 2FA login. This relies on the user having something – most typically a one-time password (OTP) – that they can use to identify themselves.
OTPs may be provided in various ways, such as by SMS or email or as backup codes to print out and keep safe. Another method that has become more widely used is authenticator apps installed on the phone, such as Google Authenticator, Microsoft Authenticator, or Authy, which generate OTPs automatically.
Some apps now also use push notifications to confirm logins. For instance, when a user tries to access a particular online account, the relevant app will generate a push notification to confirm that access should be allowed.
Finally, hardware tokens can also act as a possession factor. These are often used in a corporate setting and may take the form of a USB dongle that either plugs into the user’s laptop or generates OTPs.
Inherent factors
Biometric data, inherently unique to each individual, is also commonly used in 2FA systems, such as phones and laptops. The user is required to scan their fingerprint, face, or retina to verify their identity.
Benefits of 2FA
The main benefit of 2FA is security. If a password becomes compromised, it doesn’t enable access to the account by itself. Furthermore, 2FA makes it more difficult for hackers since they need access to both forms of authentication to breach an account.
2FA is so widely accepted as a security standard that it has become a regulatory requirement for payment services firms in certain jurisdictions.
For example, the EU’s Payment Services Directive 2 instructs payment service providers to enable “strong customer authentication” comprising multi-factor authentication on user accounts when they are carrying out particular activities.
Limitations and drawbacks of 2FA
Despite substantial security benefits, 2FA systems are not foolproof and may still be breached by more sophisticated cyberattacks.
Knowledge factors can be susceptible to cyberattacks using a variety of methods. Hackers install malware that can intercept passwords or launch social engineering attacks such as phishing to extract information from users.
Possession factors also have some vulnerabilities depending on the methods. SIM-swapping attacks involve a hacker collecting enough information about a user (via phishing or other means) to be able to convince a cellular service that the victim’s phone has been stolen to port the number to a new SIM. In this way, they can intercept OTPs sent as SMS. Phones and hardware tokens can also be stolen.
Biometric data is typically seen as very secure since it’s unique to the user. However, biometric data must be stored with the highest security since the risks of it being stolen and replicated are far bigger than for data that can be quickly changed, such as a password.
Staying safe online with 2FA
Despite some limitations, it’s advisable to use 2FA to secure online accounts wherever it’s available, particularly for apps and services like cryptocurrency wallets and exchanges involving financial transactions.
Furthermore, always make sure you take security precautions to keep your funds and data safe online. Along with enabling 2FA, practices such as regularly changing passwords, using a password manager, and only using reputable providers and services can help keep your accounts secure against attackers.
It’s also worth taking some time to understand the types of schemes and tactics that online attackers and scammers use to steal funds and data, so you know what to look out for and avoid.
2FA essentials
- Two-factor authentication (2FA) means you must provide two separate forms of authentication to access an account or service.
- For security reasons, the two factors must be of different types, such as a password (knowledge factor) and a one-time password (possession factor.)
- Despite offering significant security benefits, 2FA is not infallible, and users should take precautions to avoid attacks such as phishing.