Show
The number of factors required for each authentication method is reflected in its name:
If one factor is compromised, others are unlikely to be, so there’s greater security in requiring users to authenticate themselves using additional factors. The goal is to appropriately balance the security needed to protect online resources with the user experience and make the overall authentication experience as painless as possible. Verifiable information falls into three different categories:
To learn more about the most common types of verifiable information used and the pros and cons of each, see Authentication.
SFA requires users to provide one piece of verifiable information to authenticate.
The two pieces of verifiable information requested must be from different categories. For example, sign-on processes might require that users provide their usernames and passwords (something they know), and a fingerprint (something they are) to access their systems and applications. Or, sign-on processes might require that users provide their usernames and passwords (something they know), and proof that their smartphone is in their possession (something they have).
As with 2FA, the pieces of verifiable information requested must be from different categories. Sign-on processes might require that users provide their usernames and passwords (something they know), but also require either something they have, such as a fob or smartphone, or something they are, such as a fingerprint or retina scan.
Two-factor authentication (2FA) is defined as a security system in which the user, trying to access a system or application, is required to verify in two distinct ways instead of just a password. This article explains two-factor authentication in detail and lists its benefits, process, and best practices in 2021. Table of ContentsTwo-factor authentication (2FA) is a security system in which the user trying to access a system or application is required to verify in two distinct ways instead of just a password. Today, a typical enterprise runs with multiple assets: software-as-a-service (SaaS) solutions and third-party applications. This involves services that are as mundane as email to sensitive operations such as accessing customer data. For each of these, employees are granted user credentials, and to make sure that these credentials do not cause a security hole, employees need to practice good password hygiene. Good password hygiene involves changing passwords at regular intervals, making them as complex as possible (combination of alphabets, numbers, and symbols), and not repeating passwords across applications. However, all this leaves a lot of room for human error. Misplaced passwords and simple crackable passwords (e.g., 12345) are the weakest links in enterprise security, and hackers are well aware of this. If brute force does not work, they try phishing and other social engineering attacks to gain access to user credentials. According to Verizon’s 2020 Data Breach report, 80% of data breaches involve using brute force or stolen/lost credentials. An organization’s security posture clearly hinges on how well-guarded its various resources, applications, and services are. Despite multiple levels of infrastructure security, the level of security boils down to how well-crafted the passwords actually are. All of this points to the fact that an organization cannot just rely on traditional passwords. This is where two-factor authentication comes into the picture. Simply put, 2FA involves two steps that are required for authentication. The first step is usually a traditional password, while the second step can be any form of authentication that usually relies on something the user has, such as one-time passwords (OTPs), key fobs that generate tokens, fingerprint scanners, or just push notifications sent to mobile devices. This extra step ensures that even if hackers gain access to the password, they would still require some other information that the user personally possesses to break through. Two-factor authentication is a subset of multi-factor authentication (MFA). While 2FA stops at just two steps of verification, MFA usually requires more than two steps. Multi-factor authentication is usually deployed at entry points to mission-critical resources. For example, a banking app may require users to enter a password as a first step, enter a time-bound one time password for the second step of verification, and scan the fingerprint as a third for extra security. 2FA is, however, the most common form of MFA, especially when it comes to customer-facing services. Types of 2FA implementation1. Employee-facing 2FA This is 2FA at an internal, corporate level and is typically applied to email, VPN, remote access, and third-party services such as file sharing apps, cloud repositories, etc. Companies must ensure that this implementation is uniform throughout all levels of the organization. 2. Customer-facing 2FA This is a layered authentication process that consumers of an organization’s products, applications, or services must go through for extra security. We typically come across customer-facing 2FA with banking solutions. This is usually implemented to honor SLAs and maintain regulatory compliance. Two-factor authentication isn’t just a matter of security. Depending on the industry that the organization functions in, it may be a regulatory mandate as well. Some industries that commonly employ 2FA are healthcare (which has stringent HIPAA regulations to deal with), ecommerce, social media, and education (considering that the COVID-19 pandemic has pushed most education online across the world). 2FA exampleAn example of two-factor authentication in social media can be found on Instagram, which typically asks for just a password to sign in. However, it also allows users the option of adding a second authentication step using a security code sent either as a text message or through an authenticator app. This would be a wise option to consider, especially for influencers whose brand largely depends on their Instagram feed. See More: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices Key Benefits of Two-Factor AuthenticationThe key benefits of a two-factor authentication system are many. These include: 1. Shrinks the attack surface by reducing human errorA business is as weak as the weakest password, and maintaining dozens of passwords with proper hygiene mandates is pretty difficult. It is no surprise that cyberattacks predominantly target access points into the system that require just passwords. 2FA is a big step toward increasing security. It is highly improbable for hackers to crack every step of the authentication process to gain access. 2. First step toward a zero-trust security modelA zero-trust security model is a security concept that assumes that every device, application, user, and network—whether internal or external—is not trustworthy and needs extra security measures in place. This isn’t a surprising move, considering that cybercrime is predicted to cost the world $10.5 trillion annually by 2025. The first step toward a perimeter-less security strategy is to guard all access points with extra security. 3. Allows enterprises to embrace BYOD policiesThe COVID-19 pandemic has led to an unexpected uptick in the number of remote users. Companies that weren’t even considering BYOD policies in the past have now been forced to face external networks and devices accessing their systems. A two-factor authentication system forces companies to face all BYOD scenarios and deploy appropriate authentication measures. 4. Helps comply with industry regulationsRegulations such as the Federal Financial Institutions Examination Council (FFIEC) directive call for multi-factor-based authentication for internet banking transactions. When such mandates regulate the industry, the easiest way to comply is to implement a two-factor authentication process. 5. Leverages hardware advancements in everyday lifeComputing has advanced in leaps and bounds over the years. The general public now holds very powerful hardware and computing capabilities in their hands. In fact, advancements reach people every few months. It only makes sense to leverage this power to advance authentication mechanisms, thus securing personal data. There is no doubt that two-factor authentication benefits businesses of all sizes. The next section covers what the 2FA process entails and what it will take for businesses to implement it successfully. See More: What Is Password Management? Definition, Components and Best Practices Two-Factor Authentication Process ExplainedTwo-factor authentication, just like all multi-factor authentication processes, runs on the principle of ‘factors’. When we say that the user goes through two steps of authentication, we actually mean that two factors are used with the user. The most effective 2FA implementations use a combination of different factors.
The factors to be used by each organization are based on multiple things: Is it customer-facing or employee-facing? What devices and applications are accessible to the users trying to gain access? At what points in the application or system is two-factor authentication implemented? Levels of 2FA
Components of 2FALet’s understand the seven components of 2FA in detail. 1. Tokens Tokens are unique identifiers given to users for authentication. There are different types of authentication tokens. Security tokens are those generated by hardware such as USB-enabled devices and key fobs. Soft tokens are those generated on the same device. Mobile phones are the most common vehicles to intercept tokens. The most basic 2FA ability supported by applications and services involves tokens sent to the user via a text message or a voice call. 2. Push notifications This involves pushing a notification to the user’s device detailing the access request and other details such as location, the device from which the request originated, and the IP address. This doesn’t involve any actual code or token as such. All that the user needs to do is accept the request through an authenticator app. This eliminates man-in-the-middle attacks where hackers try to intercept text and voice messages. 3. Biometrics These tokens aren’t codes but fingerprints, facial maps, and retina patterns. It is an inherence factor of authentication and requires the appropriate hardware to work. 4. Time-based one-time password (TOTP) Time-based OTPs are generated on the device that the user is trying to log in with. It usually takes the form of a QR code. Scanning this code with a mobile phone produces a code that is valid only for a specific amount of time. The user can then enter it on the website or application that needs to be accessed. 5. U2F tokens Universal 2nd factor (U2F) tokens are a take on hardware tokens. The hardware is mounted onto the device that is being accessed via a USB. A new token is generated with the press of a tiny ‘generate’ button. The generated token is then used to gain access. 6. WebAuthn Web authentication API (or WebAuthn) allows third-party applications to use the in-built capabilities of laptops, browsers, and other devices. It uses public-key-based cryptography. This is one of the most secure forms of authentication, though the process is very closely tied to the specific devices for which it is built. 7. Authenticator The authenticator is the hardware or software that recognizes and authenticates users by the tokens entered. Within an organization, this is a uniform system that accepts or denies the access request and creates user sessions. It usually works in sync with other systems such as identity and access management (IAM) solutions. These are usually deployed as software, hardware, or a combination of both. Organizations can also opt for third-party services to do the same. A key piece of this process is how the authenticator is linked to the organization’s authentication data. The organization’s authentication data consists of stored encrypted passwords, OTPs, facial patterns, etc. Whether an internal system or a third-party solution, this communication must be done with security and compliance in mind. Setting up two-factor authenticationWhile coming up with an authentication process, organizations need to identify all access points across the system. Once these points are identified, stakeholders must decide which of these points require 2FA for increased security. A centralized management console (usually part of the IAM) is used to configure the factors that are required at each of these points. These usually tie in with access policies. Adaptive authentication, or context-based authentication, is using conditional authentication policies to grant user access. These policies are triggered based on how, when, and from where the login request comes in. Within the same system, application A may be configured to use a traditional password and text-based OTP, while a more critical application B may be configured to include adaptive time- and location-based authentication as one of its factors. New forms of tokens and authenticators are constantly coming up. A good 2FA setup requires a fine balance between security, usability, and scalability. See More: How to Secure Online Identities With Passwordless Authentication Top 10 Best Practices for Implementing and Managing Two-Factor Authentication in 2021Keeping in mind the various nuances that are required to implement and manage two-factor authentication, here are the best practices that organizations need to follow for the best results. 1. Create a comprehensive list of access pointsThe first step toward building a two-factor authentication system is to go through every asset, application, and service used across the networks in the organization. This task may prove to be more difficult than it sounds since everyday apps such as email and in-house communicators like Slack also need to be considered. Once everything from email to database access has been listed, shortlist only those that are vulnerable enough to be attacked by hackers. Enabling 2FA for every access point across the system may prove to be overkill. 2. Choose authentication factors based on organizational requirementsAll access points do not require the same authentication strategies. Two-factor authentication solutions are rarely a one-size-fits-all system. As such, picking off-the-rack solutions and stacking them into the infrastructure is not a good idea. Organizations must consider what hardware and software they use and how they can leverage this to create an optimal 2FA implementation process. For example, if all employees possess devices with fingerprint scanners, that can be one of the authentication factors implemented. 3. Consider industry mandatesIndustries such as healthcare are subject to stringent mandates such as HIPAA, which even dictate how data must be stored for privacy purposes. In cases like this, the right tokens must be considered. Push notification, biometric, and WebAuthn tokens are the most secure factors as of today. To avoid the hefty fines that follow a data breach, investing in these tokens makes perfect sense. 4. Factor in implementation, management, and scaling costsAs with any security-related activity, costs must be estimated before implementation. OTP-based tokens are the most inexpensive to implement. But will the system scale with the company’s vision for further innovation? This question must be answered, with provisions to add extra authentication factors as and when required. 5. Create the optimal trade-off between usability and securityWhile it is tempting to add 2FA checkpoints at every possible access point, it makes for poor planning. When it is customer-facing, too many authentication steps may cause users to drop off from the application. When it is employee-facing, constant authentication requirements will only affect productivity. Two-factor authentication must only be implemented at crucial points. If required, combining 2FA with other practices such as SSO makes for good security. 6. Have account recovery options in placeMost authentication factors are fleeting in nature—they are time- or context-based. Users can easily misplace hardware-based tokens. The same goes with phones—they can break or get lost very easily. In case a user is no longer able to access an authentication channel, measures must be in place for them to log in anyway. This doesn’t mean that the user can just fall back to the traditional password alone. Admins must be able to change the authentication channel on request or provide something akin to ‘forgot password’. 7. Ensure compatibility when it comes to third-party solutionsThird-party solutions may boast of the latest in two-factor authentication–biometrics and the works. But will they be compatible with the existing infrastructure of the organization? Will the solution grow with the organization, or at the very least, work alongside other security solutions? Stakeholders need to look into their existing IAM and PAM solutions before making a decision. 8. Provide multiple authentication options for usersIt is always best to assume that the same set of tokens will not be accessible to the user at every given point in time. For example, while trying to verify a new YouTube account during its creation, the user is given three options: a time-based OTP sent to the email, an SMS sent to the mobile or a phone call to the mobile. The user can thereby select one of these options based on the accessibility to each one. 9. Regularly evaluate and update the authentication planEnterprises grow every day. Most infrastructure is no more on-premises. Dynamic cloud-based solutions and services render the infrastructure a living, growing thing. New access points are added every day. User roles keep changing as well. New hardware capabilities arise every day, with complex systems reaching the hands of everyday users. With all this in mind, it is best to reevaluate the two-factor authentication strategy at scheduled intervals. 10. Consider scalability and availability for voice- and text-based tokensWhen using voice- and text-based tokens, businesses need to support multiple carriers to ensure high availability. Dynamic routing options ensure that all token requests are handled immediately and accurately. The system must scale to large volumes of requests. Users expect an immediate response to token requests and authentication, barring which users and employees will find themselves locked out of the system. See More: What Is Password Management? Definition, Components and Best Practices TakeawayAccording to the 2020 World Economic Forum, four out of five data breaches are caused by weak or stolen passwords. With COVID-19 thrusting more organizational operations online, attack surfaces have increased in parallel. Because of this, Forrester reports that 76% of decision-makers in enterprises want to move to a zero-trust security framework. The two-factor authentication model is a no-brainer in this climate. How important do you think two-factor authentication is? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you! MORE ON AUTHENTICATION |