Term:Two-factor authentication

« Back to Glossary Index

Two-factor authentication is a mechanism for verifying identity that relies on two different types of things, both of which must be correct, in order to allow access.

Traditionally, authentication has been in the form of something you know: i.e. a password, and perhaps the accompanying answers to a set of security questions. Since this is simply based on knowledge (if you know your password, you must be authorized to access this account) it’s easily transferred from one person to another – intentionally or otherwise.

The most common form of two-factor authentication adds something you have to the requirements. You must prove that you are in possession of something specific, something that is completely unique to you and of which there is only one.

A popular implementation of this is in the form of key-chain fobs or smartphone applications such as Google Authenticator, which present a six-digit number that changes every 30 seconds. That six-digit number is generated by a cryptographic algorithm and is tied to your account in such a way that only your device has the correct number for your account at any point in time. Because the algorithm used to generate the number is based on a form of cryptography, it’s not possible to predict the numbers that would be displayed without the secret keys held by the authentication system.

You then simply “prove” you have your phone or key-chain fob by entering the number displayed on it when requested.

Another factor that can be used is something you are, which typically boils down to facial recognition, fingerprint scanning, or other biometric measurement.

While each can be used in isolation – something you know, something you have, or something you are – as the very common “single factor authentication”, requiring more than one factor increases security dramatically. While two-factor authentication naturally requires two, it’s actually a subset of “multi-factor authentication”, which can require two or more.

Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorised third party which may have been able to discover, for example, a single password.

A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.

« Back to Glossary Index