What Is 2-Factor Authentication?
Before we can answer this question, we need to talk about single-factor authentication. Single-factor authentication has been the standard for most websites for the last decade or two. It’s the classic username plus password scenario. Users create a username and select a password when creating an account, and then they provide those credentials each time they visit the site.
Single-factor authentication has plenty of problems, which we’ll get to in a later section. Because of these problems, many businesses have added another layer of security, or authentication, to their accounts. This second layer is what’s called 2-factor authentication.
While there are many methods for implementing 2-factor authentication, all will require some second layer of identity establishment after the username and password screen. Often this takes the form of a one-time numeric code texted to the user’s phone, but there are plenty of other methods as well. All types should use two different categories of information, including something you know (your credentials) and either something you are (your fingerprint or retina scan) or something you have (a unique code you’ve been given).
So, to sum up, when a site or company is using 2-factor authentication, users are required to provide two forms of authentication. They must produce both the correct username and password (the first factor) and some other proof of legitimate account ownership (the second factor) before they can gain access to their account.
Types of 2-Factor Authentication?
There are many ways to implement 2-factor authentication (2FA for short). The most common on consumer accounts (like Gmail) is the method mentioned above. With Gmail’s 2FA enabled, users first log in via email address and password. Next, Google sends a one-time numeric code via text message to the cellphone listed in the account. The user must have physical access to that phone to see the code, which the user then types into the Gmail prompt.
Some consumer websites provide the option to bypass the second layer of authentication on trusted devices, like your home computer. While the convenience is nice, we don’t recommend doing this as it circumvents the whole point of using 2FA.
In the early days of 2FA, large corporations would issue authenticator keyfobs to employees. These would generate a random code every minute or so, and employees could not access critical systems without the rotating codes. This method is rarely seen today for one obvious reason: lose a keyfob, and the system is more or less compromised because the old fobs couldn’t be deactivated from a distance.
The other major forms of modern 2FA are based on this concept, though. Authenticator apps use a time-based one-time password in combination with QR codes, all built into a dedicated app on your smartphone. This system works even when your phone has no service, but the authentication is generally tied to one app on your phone. New-school security keys are another descendent from those rotating keyfobs. Today’s security keys keep the physical in-person security aspect but ditch the rotating passcodes in favor of a newer technology called Universal Second Factor, or U2F. This new technology interacts with a site behind the scenes, establishing your identity without needing to worry about passcodes yourself.
Apple devices and accounts (among others) use a push-based 2FA system that notifies users that someone (hopefully you) is trying to log in somewhere else. You’ll often see these prompts on your MacBook when updating iOS or iPadOS, for example. If it’s you, you can click “allow.” If it’s not you, you can click “deny” and lock out the would-be attacker.
The various methods of 2-factor authentication all have strengths and weaknesses. But the most important takeaway is that your business needs to implement 2FA in one form or another. It’s one of the most manageable steps you can take to improve security.
What Does 2-Factor Authentication Protect Against?
Now, it’s bad if any employee’s credentials are compromised in any of the ways above (or more creative ways we didn’t mention). But if you’re using single-factor authentication, it’s more than just bad. When an attack comes, it could be anything from a major hassle to an existential threat.
So, to sum up, 2FA can help protect against unauthorized access to accounts and systems throughout your organization. It’s not a bulletproof system, but it makes it much, much harder for people to penetrate your systems.
Why Is 2-Factor Authentication More Secure Than Single-Factor Authentication?
2-factor authentication doesn’t resolve the problems of single-factor authentication. Instead, it adds another layer of challenge or difficulty. The barrier to entry is much, much higher. To gain access to an account secured with 2FA, a bad actor must first steal a valid username and password combination. That’s the easy part. Next, they’d need to either physically steal the person’s phone or somehow manage to clone or intercept it.
(Network TV makes “cloning a phone” look like child’s play, but reality is far more complicated.) If the account is secured with an Authenticator app or modern security key, the bad actor would need access to those elements instead.
For the bad guys, it all comes down to risk and ease of access. If an account is easy to infiltrate and the risks of getting caught are low, bad actors are going to act. But imagine how much more risk is involved in convincing someone to physically hand over their cell phone or security key. For starters, doing that requires showing up in person, which is far riskier than sending out phishing emails from a distance.
You want to make it as risky and as dangerous as possible for would-be attackers to gain access to your systems. Will enabling 2FA stop every instance of targeted corporate espionage? No. But doing so will protect you from most crimes of opportunity, and those are far more likely than targeted attacks.
How Much More Secure Is 2-Factor Authentication?
While it’s impossible to put this in concrete terms like a percentage, 2-factor authentication is far more secure than single-factor authentication. It’s much more challenging to break into an account in this way because it usually requires physically stealing a smartphone (and maybe its passcode) or a USB security key.
Needing this kind of personal access virtually eliminates crimes of opportunity, and it makes targeted action more difficult by several orders of magnitude.