Two-Factor Authentication: The Basics
There’s no getting around it: the password as we know it is dead. The information we keep online is too important to only safeguard with a single string of characters. Our security methods must evolve.
We’ve seen that evolution begin over the last decade or so. Users and system administrators have gradually moved beyond passwords to implement complex, dynamic approaches to security like zero-trust architectures. In the past, one only needed a password to gain access. Now, administrators and users can use a combination of tools and policies that allow seamless authentication while still safeguarding against the most common types of attacks.
Essentially, web security has moved from the Captain America approach — using one shield for self-defense: a password — to the Batman approach, where a utility belt of tools contains options for a variety of situations.
One of the most important resources in that utility belt is two-factor authentication (2FA). It’s a cost-effective measure that protects against key threat vectors (and it’s fairly simple to roll out). Let’s dig in to 2FA: why it’s important, how it works, and how you can get started.
Why 2FA is an Essential Part of Web Security
Two-factor authentication means that whatever application or service you’re logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue.
You’ve probably used 2FA before, even if you weren’t aware of it. If a website has ever sent a numeric code to your phone for you to enter to gain access, for instance, you’ve completed a multi-factor transaction.
2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
2FA also does something that’s key to maintaining a strong security posture: it actively involves users in the process of remaining secure, and creates an environment where users are knowledgeable participants in their own digital safety. When a 2FA notification comes to a user, they have to answer the question, “Did I initiate that, or is someone attempting to access my account?” This underlines the importance of security with each transaction. While most other web security methods are passive, and don’t involve end users as collaborators, 2FA creates a partnership between users and administrators.
How Does 2FA Work
Different 2FA methods use varying processes, but they all rely on the same underlying workflow.
Typically, a 2FA transaction happens like this:
The user logs in to the website or service with their username and password.
The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
The authentication server sends a unique code to the user’s second-factor device.
The user confirms their identity by approving the additional authentication from their second-factor device.
While the basic processes behind multi-factor authentication are generally the same across providers, there are many different ways to implement it, and not all methods are created equal. Let’s dive into the various types of 2FA.
Types of 2FA
Generally, multi-factor authentication systems rely on at least one of the following approaches.
Authenticator Apps. Authenticator apps are exactly what they sound like: smartphone apps that handle the second-factor approval process as standard notifications. Authenticator apps such as Duo Mobile use internet connectivity to deliver login approval requests, which is more secure than using phone lines.
U2F devices. Universal Second-Factor (U2F) devices are similar to tokens: they’re small physical devices used exclusively to verify logins. Instead of attaching to a keychain like a token, however, U2F devices are designed to fit in an open USB slot. (Older models use USB-A ports, newer versions fit in USB-C slots.) When a user enters their password on a computer with a U2F device plugged in, they’re prompted to tap the physical U2F device to gain access. U2F devices are popular because they’re so easy to use — a simple tap and you’re done — but using one means giving up an available USB port, which isn’t always an option for all users.
Passcodes. Passcodes are the most common form of 2FA, and usually consist of a short string of numbers sent to a smartphone. Passcodes definitely count as 2FA. Since they rely on phone lines, however — which can be compromised — they represent the least secure method. Passcodes aren’t a real hit with users, either: each code must be manually entered, which can be a nuisance.
Tokens. Many web security teams opt to arm their users with tokens. These typically are small keychain fobs that generate codes for users to enter as their second factor. Tokens are more secure than cellular-delivered passcodes, as they don’t rely on phone lines, but they don’t address the annoyance of entering codes. (In fact, they may make that worse, as you can’t copy and paste a code from a token.) Tokens are attractive because they are affordable and don’t require system administrators to collect phone numbers — but they’re battery-operated, and batteries die. Using tokens will mean dealing with the headache of timing replacements to avoid users losing access to crucial systems.
Phone callbacks. Phone callbacks are one of the less popular versions of 2FA, but they’re an effective — if time-consuming — way to implement a second factor. In a phone callback setup, once a user logs in, they receive an automated phone call that prompts them to approve or deny the access request.
TOTP. Time-based One-Time Passcodes, better known as TOTP, are similar to passcodes. Instead of a service sending the user a series of numbers, however, an app generates a one-time-use passcode that will quickly expire. Doing it this way means users can still use their authenticator app (which will generate TOTPs on demand), and no insecure phone lines get involved.
Keep in mind that in most cases, system administrators opt for a variety of approaches and typically give users a few options to best fit the given need. So, for example, if your work laptop has a U2F device attached, you could use that as your second factor throughout the day. Logging in to an application off-hours from your smartphone, however, might require that you use an authentication app. And while this kind of flexibility may not seem like a big deal, your users will definitely appreciate it, making them stronger allies of your security efforts.
Getting Started with 2FA
Because 2FA is a cloud-based service, it’s relatively easy to implement and can be rolled out gradually to your organization. The basic process for getting started goes like this:
Determine which 2FA service you’ll be using. Take advantage of our Two-Factor Evaluation Guide to get a handle on all of the things you can (and should) get from a web security product that includes 2FA. Remember: 2FA shouldn’t be your only security approach. A strong security platform will both make it easy to set-up multi-factor access with your most important apps and provide other avenues of defense, like customizable access policies. If you have ambitions of someday moving to a zero-trust model, a coordinated approach that includes, but isn’t limited to, 2FA is essential. We’ve designed Duo Beyond to meet these needs, and you can learn more about that here.
Establish a proof of concept with a small group of users in a low-stakes environment. Before you roll out 2FA to your entire organization, test it out first and address any issues you identify. Get a small group of users who will be communicative about the process and work with them ahead of time to understand how it will work for them.
Enable 2FA using integrations for each service or application you’re protecting. To set up a specific application or service to work with 2FA, you’ll need an integration — a means of getting the application or service to work with 2FA. For example, Duo Beyond includes integrations for everything from larger systems like Salesforce CRM to smaller applications like Slack. (We also have a web-based integration that can be customized to work with any application for which there isn’t a specific integration.) However you choose to move forward, make sure you’ve got a plan for integrating each of your critical systems with your 2FA service.
In the post-password world, strong web security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means two things: (1) if you’re currently relying on passwords alone, it’s time to evolve, and using 2FA is a solid first step; and (2) 2FA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.