Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is the foundational element of a zero trust security model. In order to protect sensitive data, you must verify that the users trying to access that data are who they say they are. 2FA is an effective way to protect against many security threats that target user passwords and accounts, such as phishing, brute-force attacks, credential exploitation and more.

Let’s say you use a username and password to complete primary authentication to an application. That information is sent over the Internet (your primary network). You’ll want to use a different (out-of-band) channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.

So why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication — if both are delivered over the same channel.

Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc. stored in applications.

By integrating two-factor authentication with your applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.

We know the most effective security solution is one your users actually use.

Duo’s 2FA solution only requires your users to carry one device — their smartphone, with the Duo Mobile app installed on it. Duo Mobile is available for both iPhones and Android, as well as wearables like the Apple Watch.

With support for a large array of authentication methods, logging in via push notification is fast and easy with Duo Mobile. We strongly recommend using Duo Push or WebAuthn as your second factor, because they're most secure and can protect against man-in-the-middle (MITM) attacks, but with Duo's flexibility and customizability, you'll be able to find the adaptive authentication method that meets the unique needs of your diverse user base.

Pros

• Simplicity. SMS 2FA simply sends a confirmation code to a user's mobile phone. Just enter the code and gain access to your information.

• Speed and access. If suspicious activity occurs, SMS 2FA sends a one-time password (OTP) to a user's device, so only the user with that device can log in and verify that their account hasn't been compromised. SMS 2FA is a quick way to validate the identity of a user.

• Ubiquitousness. SMS 2FA is the oldest form of two factor authentication, so it has become a commonly accepted security protocol.

Cons

• Phone number requirements. SMS 2FA requires that users disclose their phone numbers to a third party (the 2FA provider). This makes some people uncomfortable because it raises concerns around privacy, personal security, and being targeted for advertising.

• Data network requirements. SMS 2FA requires a phone that can receive SMS messages. If a user's phone is missing or damaged, or if they cannot access their network, they may not be able to receive their security code.

Pros

• Flexibility. This type of 2FA hinges on a QR code which generates a unique passcode. Once they have this code, a user can use it across multiple devices. By contrast, SMS 2FA is restricted to the device that receives the message. TOTP 2FA is more flexible and gives the user a wider ability to access their information.

• Improved Access. Mobile authenticators are able to remember which accounts a user is trying to access — so the user can access their passcode at any time, even if they are not on a cellular or wifi network.

Cons

• Reliance on devices. TOTP 2FA requires the user to have a device capable of reading the QR code to verify their identity. If the user misplaces their device or the QR code, or if it’s stolen, they will no longer be able to access their information.

Pros

• Phishing security. Other types of two factor authentication are susceptible to phishing attacks, but push-based 2FA combats that vulnerability by replacing access codes with push notifications. When they attempt to access their information, a push notification is sent to the user’s phone. The notification includes information about the login attempt, such as location, time, IP address, and more. The user simply confirms that the information is correct and uses their phone to accept the authentication request.

• Ease of use. Once set up, push-based 2FA streamlines the authentication process. If the information sent through the push notification is correct, the user simply accepts the login attempt through their mobile device and is able to access their account.

• Scalable. Push-based 2FA can easily be scaled for organizations needing to secure multiple users. The ease of use allows teams to onboard the software and train teams on how to use it efficiently. Since every access attempt is confirmed with a mobile device, there are no SMS codes to enter or QR codes to save.

Cons

• Reliance on data access. Push-based 2FA sends its notifications through data networks like cellular or wifi networks. The user must have data access on their mobile device to use the 2FA functionality.

• Reliance on user knowledge. Push-based 2FA fights phishing by allowing the user to validate the location and other details associated with the login attempt. Security breaches may occur in cases when the user doesn’t pay attention to or correctly read information like the IP address and login location.

Pros

• Convenience. All you need is a supported web browser, operating system and authentication method -- such a biometric indicator, a security key (such as a Yubikey), or a system-local PIN -- for phishproof access.

• More secure. WebAuthn is one of the more secure 2FA methods available today. It allows web applications to trust a strong biometric authentication as a credential that is specific only to that service — which means no more shared passwords. We now have a secure means to generate, store and utilize a credential whose attributes are unknown to the user and thus can’t be stolen and exploited.

Cons

• Complex account recovery. In the modern workplace, work doesn’t stop when a security issue arises. Perhaps an employee loses their phone, or someone reports an unauthorized access attempt. Security measures help control these threats, but employees are expected to be back up and running and working as normal shortly after the incident. Many 2FA solutions make this relatively easy — a systems administrator can help with account recovery. 

   

  WebAuthn uses asymmetric cryptographic keys to secure authentication. The credentials it creates are also known as “passkeys.” Passkeys can be device-bound or synced across an operating system or third-party provider cloud. 

   

  Synced passkeys enable account recovery in the event a device is lost or stolen. When the user authenticates to the provider cloud from their new device, their passkeys are synchronized with the secure enclave storage. 

   

  Device-bound passkeys, however, are strongly tied to a specific individual device, making account restoration more difficult. For that reason, it’s still recommended that users have another out-of-band form of authentication to fall back on, should they lose access to their authenticator. 

Healthcare

Healthcare organizations are concerned about securing patient data and personally identifiable information (PII). They also need to meet a number of compliance requirements, including HIPAA, PCI DSS, HITRUST, Joint Commission standards and NIST standards.

The healthcare industry must also securely enable their clinicians and physicians to access patient data, at any time, anywhere - sometimes from their own personal devices. Duo’s 2FA solution allows them to secure this data beyond traditional firewalls. Physicians, accountants, and third-party vendors can access their necessary information securely.

Banking

The banking industry uses 2FA to protect against the many hacking attempts made on their internal and clients’ systems. Duo’s push-based authentication system has helped many large banks improve their resiliency against such attacks.

It is important for security teams to know which users and devices are accessing their systems. Two-factor authentication allows the finance industry to secure remote devices and authenticate every login attempt.

Social Media

Social media platforms and agencies use 2FA to protect the personal data of billions of users worldwide. To protect these users, social media companies like Facebook use Duo’s push-based authentication to shield their developers from hacking attempts when working on the company’s internal networks.

2FA also makes security easier for social media companies by simplifying the access process for developers. Duo’s cloud-based 2FA solution protects developers, and users in turn, by eliminating the need for hardware and software installation.

Travel

The travel industry requires a 2FA solution to allow their remote employees to perform their duties from anywhere in the world. Traditional security protocols like firewalls aren't sufficient when users need access beyond the security perimeters.

Duo’s 2FA technology helps the travel industry implement true Bring Your Own Device (BYOD) policies. Duo Beyond lets travel companies understand the security health of every device accessing the network. Companies can then monitor potential security threats from remote devices.

Government

Current IT modernization initiatives are challenging government agencies to implement big changes to their infrastructure at an uncomfortable pace, as they look to accommodate the shift to cloud and mobile. An ideal security solution needs to account for both protecting users and rolling out on a realistic but still workable timeline.

2FA technology assists federal agencies as they put forward zero trust policies for the millions of end users who need access. Two-factor authentication provides a balance between strong security and usability.

Retail

With an annual U.S. GDP totalling $2.5 trillion, the retail industry is comprised of more than 3.6 million retail establishments. As the nation’s largest employing industry, remote attacks have become increasingly more prevalent and difficult to prevent.

Similarly, security solutions are becoming increasingly important for retail as information technology adjusts to a perimeterless environment. 2FA allows retail companies to authenticate the identities of users accessing their networks through remote desktops and personal mobile devices.

Media

The media industry spans across radio, television, social media, film, and more. 2FA helps media companies by allowing users to access the data necessary to meet publishing deadlines.

By securing IT infrastructures across companies and state lines, Duo’s two-factor authentication technology gives media companies the ability to validate users' identities whenever a login is attempted. The push-based nature of 2FA reduces the friction and frustration that has historically plagued efforts to secure user endpoints.

Higher Education

Higher education institutions manage vast amounts of sensitive user data involving finance, healthcare, PII, and more. This valuable data has historically made institutions prime targets for hacking and malicious breaches of security.

Colleges and universities use 2FA to secure the mobile devices and personal computers of students, faculty and staff. Securing these devices helps combat malicious actors by authenticating the identity and location of every login attempt.

Ridesharing

With a heavy focus on rider safety, ridesharing apps are dependent on the security of the mobile devices accessing their network. To make it even more challenging, ridesharing apps serve an international and decentralized marketplace of users and drivers across hundreds of languages.

2FA technology helps ridesharing companies secure the endpoint devices of their employees regardless of location. Ensuring user identity is a mission critical objective for technology companies and 2FA assists this goal by authenticating employees before they gain access to internal information systems.

Energy

Energy companies often need to secure data on sensitive projects across the world. 2FA technology helps them protect financial, logistical, and human resource systems by securing user endpoint devices.

Ensuring endpoint security allows projects to continue on schedule without risking security breaches. 2FA also helps energy companies by securing the devices of third-party contractors who often need IT system access while operating beyond the perimeter of traditional firewalls.

Who uses 2FA?

Two factor authentication is used across many industries that require user authentication and device trust, beyond usernames and passwords. 2FA technology is often championed by an organization’s security team, Chief Information Security Officer, or information technology team, but it affects departments throughout the business. Below is a list of the top five industries where 2FA is a crucial information security strategy:

• Healthcare: Due to the incredibly sensitive personally identifiable information protected by hospitals and other healthcare organizations, two factor authentication is commonly used to secure user accounts (doctors, patients, administrative staff).

• Finance: Financial institutions use 2FA to protect against data breaches and to comply with the growing security demands of users and auditors. The highly sensitive and valuable data protected by financial firms makes them prime targets for cyber criminals.

• State & Federal Government: Both state and federal governments are under constant threat of cyber attacks. In response, governments are implementing two factor authentication in addition to traditional passwords. With 2FA, a hacker would have to capture an end user’s mobile device, even if their password is compromised.

• Education: Educational institutions from elementary schools to universities implement 2FA solutions to protect the data of their students and staff. Students, teachers, and administrators log into sensitive web portals with 2FA in addition to the traditional passwords.

• Law Enforcement: Two factor authentication is used by government agencies of all sized — from the FBI, and CIA, down to local police departments in order to protect sensitive data. Law enforcement administrators can confirm the location, IP address, and username of any user attempting to log into their networks. This is another layer of protection against potential external threats.

How effective is 2FA?

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.

About 81% of confirmed data breaches in the Accommodations industry involved stolen credentials. – Source: Verizon 2018 Data Breach Investigations Report

Which authentication method is best?

At Duo, we recommend push-based, FIDO Security Key, and biometric authentication, because these make it very difficult for an attacker to pose as an authorized user.

Push-based 2FA: Most push-based authentications can't be approved unless a user's phone is unlocked. This requirement makes push-based 2FA more secure than passcode-based 2FA, which often delivers a code that can be seen on lock screens or other SMS-enabled devices. With push-based 2FA, simple security measures like a passcode or biometric identification go a long way, protecting applications with a layer of information only device owners would possess.

Webauthn: Webauthn-based authentication requires users to approve access requests via a mechanism that’s attached to their device. Webauthn taps into users’ built-in biometric authenticators, negating the need for both passcodes and physical hardware. For devices that don’t contain a built-in biometric sensor, USB-based FIDO security keys, such as the YubiKey by Yubico can bridge the gap. With Webauthn, the world of information security moves one step closer to true password-less authentication.

What's the difference between 2FA and MFA?

Two-factor authentication (2FA) is a subset of multi-factor authentication. There are as many potential factors of authentication as there are ways to confirm a user’s identity (location, fingerprints, face, security keys), and any security protocol that involves three or more is considered MFA. 2FA is the most common and easily accessible subset of MFA that requires two factors of authentication.

How will 2FA improve my technical infrastructure?

2FA often reduces the need for device-specific or application-specific security tools, like MDMs. With 2FA, companies are able to protect a broader scope of information and technical environments, allowing them to consolidate and/or forego solutions that may not be adding to the overall security landscape. Reducing total cost of ownership is an ongoing initiative for many companies, especially when it comes to IT, and protecting more information with 2FA can drive progress toward that goal.

At Duo, we recognize the value of streamlining technical infrastructure, so we’ve built broad application and device coverage right into our 2FA solution. Learn more about how Duo helps make life easier for IT administrators.

Can I use 2FA in a hybrid environment?

The short answer is: “yes.” Most companies need to protect both cloud-based and on-premesis applications, so it’s smart for 2FA vendors to accommodate both types.

However, that doesn’t mean all 2FA vendors can protect all applications. Some are tailored to specific productivity tools or require additional drivers or software to protect a greater breadth of information. Duo’s 2FA solution is designed to work with the broadest range of applications and devices — so no matter what you need to protect, Duo can help.

How do I make sure my users keep their devices updated?

Rigorous device health standards are an essential part of any effective security framework. To truly be secure, every single device that requests access to an application should meet your organization’s security standards. But depending on the complexity of your security protocols, it can be difficult to ensure every device has the latest operating system, has screenlock enabled, is properly encrypted — the list goes on.

Some 2FA solutions build in the option for device health checks, so administrators can warn users that unless they update their software or change their device settings, they’ll be unable to access the services they need. Duo’s self-remediation features are designed specifically to not only warn or block users based on device health, but to help users comply with security regulations without needing to get an IT professional involved.

The easier it is for users to meet security standards, the more likely they are to keep their devices compliant — saving administrators a lot of headaches over time.

What if a user loses their mobile device?

2FA relies on users to have a device with which to authenticate. If that smartphone or laptop is lost or stolen, there’s a heightened risk that unauthorized entities will be able to access your important data. So, generally, users should be aware of their devices’ locations at all times, and they should be cautious about letting others use their devices.

That’s not a security guarantee, though — we’ve all lost (or thought we lost) a device or two somewhere along the road. It happens. Fortunately, 2FA technology can actually make it easier to protect the information to which those devices have access. Security solutions that install directly onto users’ devices (MDMs, etc.) can often lock or shut down devices remotely, protecting mission-critical information even when a user doesn’t physically have their device with them. Duo works similarly, but it doesn’t require installation of any additional drivers or software. Users can easily self-enroll in 2FA via an app on their devices, so no matter where in the world they travel or what technology they use, your information stays secure.

Can I limit access to some applications but not others?

With a good adaptive authentication solution, yes! And as the security industry evolves, it becomes ever more important to do so. Remember, the goal of a security policy is to limit access to as few people as possible — and that concept applies at the application level, too. To truly reduce the possibility of a breach, each user should be able to authenticate to as few applications as possible, and their level of access should be based on the information they need to access.

What is a user access policy?

A user access policy is a specific set of rules that determine whether or not a user can access an application. For example, your company might have a policy that only users with a certain level of security clearance can access mission-critical information. A good 2FA solution will allow administrators to set these rules granularly, ensuring that only the right people, with the right devices and the right credentials, are accessing each individual application.The ultimate goal of a user access policy should be to grant access to as few users as possible. This means thinking critically about very general authorization parameters. It’s likely that some applications will require more stringent protection than others, and that some devices will be more trustworthy than others — so access policies should take these factors into account. For example, applications that contain sensitive personal information may require a user to have both the correct security clearance and have their device firewall enabled. In contrast, collaboration tools like calendars may be accessible to more users and may not require that users' devices meet such specific criteria.

What is adaptive authentication?

The premise of adaptive authentication is that users circumstances are constantly changing — they move between networks, they change their device settings, they require additional application access, etc. — so authentication rules should constantly be adjusting to keep up.

A good adaptive authentication solution will allow users to set risk-based access policies over several dimensions:

• By user or group of users and their roles and/or responsibilities.

• By authentication method. Allow authentication only via approved methods. For example, users authenticating via push notification are granted access; users authenticating with SMS are not.

• By application. For example, a company might want to enforce the use of the more secure MFA methods (push notification, WebAuthn, etc.) for high-risk applications and services.

• By geographic location. Restrict access to company resources in any geographic location.

• Set conditional policies for certain locations. For example, a company may want to require 2FA in certain locations, but not in others.

• By network information. Where the user/device is coming from (set of IP ranges); block authentication attempts from anonymous networks like Tor, proxies and VPNs.

Because adaptive authentication is only becoming more and more important, Duo makes it easy to set and monitor security policies based on any of these dimensions — and with Duo’s intuitive administrator dashboard, administrators can do it all from a single, central control panel. Duo also integrates with existing technology, like Active Directory or Azure-AD, and can leverage them to apply policy at a group level.

How does 2FA protect BYOD?

• Open wifi networks: 2FA protects against attempts to steal or phish your username and password via an open wifi network.

• Man-in-the-Middle attacks: 2FA doesn’t allow hackers to spoof push notifications to your personal device even if your password is compromised by a man-in-the-middle attack.

• One password across many accounts: 2FA gives you an added layer of security via push notifications even if you have used the same password across multiple accounts.

• Malware email attachments: Even if you fall prey to malware attachments, you can protect your login credentials by confirming every login attempt accessing your accounts.

• Cloud storage: 2FA gives cloud users the ability to validate every login attempt with their personal devices, no matter where in the world they are. This becomes chokepoint that organizations can use to secure their data in the cloud.

How does 2FA work when my users are traveling?

In most cases, 2FA should work exactly the same way when you are traveling, as it would when you are at home. You enter your password, validate the login attempt with your push notification, and hit accept. There are two situations when two factor authentication won’t work when traveling, however:

First, you will not be able to receive push notifications if you lose cell or wifi connection while traveling. Some wireless carriers may not have service in the area you are visiting, so be sure to confirm so before you travel.

The second issue that may cause 2FA to not work while traveling is if you lose your phone. Even with your password and username, you will be locked out of applications if you cannot receive a push notification with your phone.

What is zero trust, and how is 2FA related?

The zero-trust approach to security posits that location-based trust is no longer enough to prevent unauthorized access to applications and information. The traditional “perimeter,” defined by known networks and environments, is being negated by BYOD and remote work — in the modern workplace, employees expect some freedom to work from different locations and use the devices they’re most comfortable with. The zero trust model addresses these potential security issues by establishing trust for every access request — regardless of location. It enforces adaptive controls, and continuously verifies trust. Trust levels are dynamic and change to adapt to your evolving business. This approach can help prevent unauthorized access, contain breaches and reduce the risk of an attacker's lateral movement.

At Duo, we help businesses secure their workforces using a zero trust approach. This model can seem complex, because it up-ends traditional perimeter based security — but achieving zero trust can be done in just 5 steps:

1. Establish Trust in User Identities

2. Gain Visibility into Devices & Activity

3. Ensure Device Trustworthiness

4. Enforce Adaptive & Risk-Based Policies

5. Enable Secure Access to All Apps

For more on zero trust and how this approach can enable a more secure workforce, visit our zero trust page.

How do I increase 2FA adoption in my organization?

Get to know the numbers: 2FA technology exists to protect against the growing threat of cybersecurity breaches worldwide. According to a study by the University of Maryland, there is a hacking attack every 39 seconds. Knowing the how and why 2FA can impact your business is an important first step.

Work with stakeholders: Adopting two factor authentication requires buy-in from the entire company, but the decisions are often made by a select group. This group can be comprised by executives, your security team, your IT team, and anybody else who has a say in the adoption process. Understand who the important stakeholders are and work with them to magnify your impact.

Communicate the risks and benefits: once you know who needs to be on board with your adoption plan, frame the issue in terms that are important to each member. The company’s CEO will have different priorities than the head of IT, for example. Knowing what is important to each stakeholder will go a long way in seeing your 2FA adoption through.

Understand the logistics: Rolling out a complete 2FA adoption will take time and involve some logistical challenges. Keeping your end goal in mind while navigating the process will help you see the adoption process through. Are your employees hesitant to download the 2FA app? Is your security team bogged down with work? Be sure to understand the potential roadblocks on your way to 2FA adoption.

How are other companies using 2FA to secure their information?

2FA technology has helped companies across many industries secure their user endpoints. Take a look at our extensive customer story page to see how.