Double up on security by protecting your applications and environments with two-factor authentication (2FA). It's the simplest, most effective way to verify that your users are who they say they are.
Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. These factors can include something you know - like a username and password - plus something you have - like a smartphone app - to approve authentication requests.
2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
Two-factor authentication (2FA) is the foundational element of a zero trust security model. In order to protect sensitive data, you must verify that the users trying to access that data are who they say they are. 2FA is an effective way to protect against many security threats that target user passwords and accounts, such as phishing, brute-force attacks, credential exploitation and more.
Let’s say you use a username and password to complete primary authentication to an application. That information is sent over the Internet (your primary network). You’ll want to use a different (out-of-band) channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.
So why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication — if both are delivered over the same channel.
Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc. stored in applications.
By integrating two-factor authentication with your applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.
We know the most effective security solution is one your users actually use.
Duo’s 2FA solution only requires your users to carry one device — their smartphone, with the Duo Mobile app installed on it. Duo Mobile is available for both iPhones and Android, as well as wearables like the Apple Watch.
With support for a large array of authentication methods, logging in via push notification is fast and easy with Duo Mobile. We strongly recommend using Duo Push or U2F as your second factor, because they're most secure and can protect against man-in-the-middle (MITM) attacks, but with Duo's flexibility and customizability, you'll be able to find the adaptive authentication method that meets the unique needs of your diverse user base.
Duo integrates to protect every point of access, from on-premises, to web-based, to cloud-based applications. Deployment is quick and easy, and the platform's user-friendly authentication experience and intuitive administrator dashboard make managing your security protocols a breeze.
Duo puts your organization on the fast-track to zero trust by securing the modern workforce. The simple, all-in-one platform lets you verify user identities, assess and act on the health of devices, set adaptive access policies, and protect users' productivity with modern remote access and SSO capabilities. Learn more about Duo's approach to zero trust here.
At Duo, we believe every organization should have a 2FA solution, so we take pride in providing a simple, yet scalable, security platform that works. With three editions and a host of capabilities built in, you can choose the solution that's just perfect for your business. See editions and pricing here.
Need more information to get up to speed on 2FA basics and security industry terminology? We're here to help. Below, you'll find answers to your questions and resources to help you take the next steps toward a more secure workforce.
Factors are the pieces of information a user can provide to verify their identity. 2FA is the most commonly used, but there are, in fact, five factors of authentication used by security professionals today.
The knowledge factor verifies identity by requesting information only an individual user would know. The most common example of a knowledge factor of authentication is a password. A user’s password should be private only to them, allowing them to use it as a method to confirm their identity.
Possession factors verify the identity of a user by requiring proof of information that only the user should possess. Tokens are a commonly used possession factor of authentication. These tokens generate a rotating passcode that users must physically carry on their person.
Duo Mobile combines the knowledge factor and possession factor of authentication to create the world’s most trusted 2FA platform. Two other possession factors of authentication are HMAC-based One-Time Password (HOTP) and Time-based One-time Password (TOTP). Both authentication methods generate temporary passwords from a physical device carried by the user. HOTP tokens expire once they are used while TOTP tokens expire if not used within thirty seconds.
Inherence factors of authentication verify the identity of a user by using attributes that would belong only to that user. Fingerprint scanning is the most obvious inherence factor used today.
Fingerprints are unique to individuals, so many organizations use them as a way to confirm who their users are. In addition to fingerprints, there are many other inherence factors used today: voice, handprints, face recognition, and more.
Location factors of authentication confirm the identity of a user based on their location in the world. If a user had registered an account in one country, for example, and suddenly there are login attempts from another, location factors could trigger and attempt to verify the identity of the new user. Many location factors are based on the IP address of the original user and compares the address to that of the new attempt to access information.
Time factors of authentication verify the identity of a user by challenging the time of the access attempt. This is based on the assumption that certain behaviors (like logging into a work computer) should happen within predictable time ranges. If an attempt to access a platform happens outside of the usual time range, the attempt can be challenged or terminated until a user can verify their identity.
The need for two-factor authentication has increased as companies, governments, and the public realize that passwords alone are not secure enough to protect user accounts in the current technical landscape. In fact, the average cost of data breaches today is over two trillion dollars annually. While 2FA protects against a multitude of threats, the most common threats include:
A traditional password can be used by anybody who gets their hands on it. If a user writes down their password on a pad of paper, for example, that password can be stolen to gain access to an account. 2FA, by contrast, validates the user with a second device after a password is entered.
Hackers will often send emails that include links to malicious websites designed to either infect a user’s computer or convince them to enter their passwords. Once obtained, a password can be used by whoever manages the hacking attempt. 2FA fights phishing by adding a second layer of validation after the password has been entered.
Hackers will often simply manipulate users into giving up their passwords. By posing as an IT professional at the user’s company, they can earn the trust of the user before asking for login credentials. 2FA protects against this by validating the location and IP of every login attempt after a password has been entered.
In a brute-force attack, a hacker randomly generates passwords for a specific computer until they land on the correct sequence. 2FA’s second layer of protection requires a login attempt to be validated before granting access.
Even if a user hasn't written down their password, hackers can use malware to track and copy a user’s password as they type. Hackers track every keystroke and store the password to be used later. The second layer of validation in 2FA lets a user ensure that the login attempt is their own, even if their password has been compromised.
There are a number of different second factors that can be used to verify a user's identity. From passcodes to biometrics, the available options address a range of use cases and protection levels.
SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to which they're authenticating.
The Time-Based One Time Password (TOTP) 2FA method generates a key locally on the device a user is attempting to access. The security key is generally a QR code that the user scans with their mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes generated by authenticators expire after a certain period of time, and a new one will be generated the next time a user logs in to an account. TOTP is part of the Open Authentication (OAUTH) security architecture.
Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security, while improving ease of use for end users. Push-based 2FA confirms a user's identity with multiple factors of authentication that other methods cannot. Duo Security is the leading provider of push-based 2FA.
U2F tokens secure two-factor authentication by using a physical USB port to validate the location and identity of a user attempting to login. To use a U2F token, a user inserts the token into their device and presses the button located on the top of the device. Once the token is activated, the user enters their PIN and gains access to their accounts.
Created by the FIDO (Fast IDentity Online) Alliance and W3C, the Web Authentication API is a specification that enables strong, public key cryptography registration and authentication. WebAuthn (Web Authentication API) allows third parties like Duo to tap into built-in biometric authenticators on laptops and smartphones, letting users authenticate quickly and with the tools they already have at their fingertips.
Endpoint security concerns are becoming a bigger focus for many industries — no matter which applications users are accessing, protecting credentials is important to the security of the larger business. Learn how various verticals are using 2FA to stay ahead of security threats:
Healthcare organizations are concerned about securing patient data and personally identifiable information (PII). They also need to meet a number of compliance requirements, including HIPAA, PCI DSS, HITRUST, Joint Commission standards and NIST standards.
The healthcare industry must also securely enable their clinicians and physicians to access patient data, at any time, anywhere - sometimes from their own personal devices. Duo’s 2FA solution allows them to secure this data beyond traditional firewalls. Physicians, accountants, and third-party vendors can access their necessary information securely.
The banking industry uses 2FA to protect against the many hacking attempts made on their internal and clients’ systems. Duo’s push-based authentication system has helped many large banks improve their resiliency against such attacks.
It is important for security teams to know which users and devices are accessing their systems. Two-factor authentication allows the finance industry to secure remote devices and authenticate every login attempt.
Social media platforms and agencies use 2FA to protect the personal data of billions of users worldwide. To protect these users, social media companies like Facebook use Duo’s push-based authentication to shield their developers from hacking attempts when working on the company’s internal networks.
2FA also makes security easier for social media companies by simplifying the access process for developers. Duo’s cloud-based 2FA solution protects developers, and users in turn, by eliminating the need for hardware and software installation.
The travel industry requires a 2FA solution to allow their remote employees to perform their duties from anywhere in the world. Traditional security protocols like firewalls aren't sufficient when users need access beyond the security perimeters.
Duo’s 2FA technology helps the travel industry implement true Bring Your Own Device (BYOD) policies. Duo Beyond lets travel companies understand the security health of every device accessing the network. Companies can then monitor potential security threats from remote devices.
Current IT modernization initiatives are challenging government agencies to implement big changes to their infrastructure at an uncomfortable pace, as they look to accommodate the shift to cloud and mobile. An ideal security solution needs to account for both protecting users and rolling out on a realistic but still workable timeline.
2FA technology assists federal agencies as they put forward zero trust policies for the millions of end users who need access. Two-factor authentication provides a balance between strong security and usability.
With an annual U.S. GDP totalling $2.5 trillion, the retail industry is comprised of more than 3.6 million retail establishments. As the nation’s largest employing industry, remote attacks have become increasingly more prevalent and difficult to prevent.
Similarly, security solutions are becoming increasingly important for retail as information technology adjusts to a perimeterless environment. 2FA allows retail companies to authenticate the identities of users accessing their networks through remote desktops and personal mobile devices.
The media industry spans across radio, television, social media, film, and more. 2FA helps media companies by allowing users to access the data necessary to meet publishing deadlines.
By securing IT infrastructures across companies and state lines, Duo’s two-factor authentication technology gives media companies the ability to validate users' identities whenever a login is attempted. The push-based nature of 2FA reduces the friction and frustration that has historically plagued efforts to secure user endpoints.
Higher education institutions manage vast amounts of sensitive user data involving finance, healthcare, PII, and more. This valuable data has historically made institutions prime targets for hacking and malicious breaches of security.
Colleges and universities use 2FA to secure the mobile devices and personal computers of students, faculty and staff. Securing these devices helps combat malicious actors by authenticating the identity and location of every login attempt.
With a heavy focus on rider safety, ridesharing apps are dependent on the security of the mobile devices accessing their network. To make it even more challenging, ridesharing apps serve an international and decentralized marketplace of users and drivers across hundreds of languages.
2FA technology helps ridesharing companies secure the endpoint devices of their employees regardless of location. Ensuring user identity is a mission critical objective for technology companies and 2FA assists this goal by authenticating employees before they gain access to internal information systems.
Energy companies often need to secure data on sensitive projects across the world. 2FA technology helps them protect financial, logistical, and human resource systems by securing user endpoint devices.
Ensuring endpoint security allows projects to continue on schedule without risking security breaches. 2FA also helps energy companies by securing the devices of third-party contractors who often need IT system access while operating beyond the perimeter of traditional firewalls.
Have questions about how 2FA works? Wondering how 2FA can help secure your accounts and applications? We've got answers.
Two factor authentication is used across many industries that require user authentication and device trust, beyond usernames and passwords. 2FA technology is often championed by an organization’s security team, Chief Information Security Officer, or information technology team, but it affects departments throughout the business. Below is a list of the top five industries where 2FA is a crucial information security strategy:
2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.
About 81% of confirmed data breaches in the Accommodations industry involved stolen credentials. – Source: Verizon 2018 Data Breach Investigations Report
At Duo, we recommend push-based, U2F, and biometric authentication, because these make it very difficult for an attacker to pose as an authorized user.
Push-based 2FA: Most push-based authentications can't be approved unless a user's phone is unlocked. This requirement makes push-based 2FA more secure than passcode-based 2FA, which often delivers a code that can be seen on lock screens or other SMS-enabled devices. With push-based 2FA, simple security measures like a passcode or biometric identification go a long way, protecting applications with a layer of information only device owners would possess.
U2F: With U2F-based 2FA, users initiate an authentication request and then approve it by tapping a USB device attached to their laptop, desktop, or smartphone. Unlike traditional security tokens, U2F devices are tamper-proof. Each device is associated with only one user, preventing imposters from posing as a trusted user, even if the device is lost or stolen.
Webauthn: Like U2F-based authentication, Webauthn-based authentication requires users to approve access requests via a mechanism that’s attached to their device. Webauthn, however, takes this principle even further by tapping into users’ built-in biometric authenticators, negating the need for both passcodes and physical hardware. With Webauthn, the world of information security moves one step closer to true password-less authentication.
Two-factor authentication (2FA) is a subset of multi-factor authentication. There are as many potential factors of authentication as there are ways to confirm a user’s identity (location, fingerprints, face, security keys), and any security protocol that involves three or more is considered MFA. 2FA is the most common and easily accessible subset of MFA that requires two factors of authentication.
2FA often reduces the need for device-specific or application-specific security tools, like MDMs. With 2FA, companies are able to protect a broader scope of information and technical environments, allowing them to consolidate and/or forego solutions that may not be adding to the overall security landscape. Reducing total cost of ownership is an ongoing initiative for many companies, especially when it comes to IT, and protecting more information with 2FA can drive progress toward that goal.
At Duo, we recognize the value of streamlining technical infrastructure, so we’ve built broad application and device coverage right into our 2FA solution. Learn more about how Duo helps make life easier for IT administrators.
The short answer is: “yes.” Most companies need to protect both cloud-based and on-premesis applications, so it’s smart for 2FA vendors to accommodate both types.
However, that doesn’t mean all 2FA vendors can protect all applications. Some are tailored to specific productivity tools or require additional drivers or software to protect a greater breadth of information. Duo’s 2FA solution is designed to work with the broadest range of applications and devices — so no matter what you need to protect, Duo can help.
Rigorous device health standards are an essential part of any effective security framework. To truly be secure, every single device that requests access to an application should meet your organization’s security standards. But depending on the complexity of your security protocols, it can be difficult to ensure every device has the latest operating system, has screenlock enabled, is properly encrypted — the list goes on.
Some 2FA solutions build in the option for device health checks, so administrators can warn users that unless they update their software or change their device settings, they’ll be unable to access the services they need. Duo’s self-remediation features are designed specifically to not only warn or block users based on device health, but to help users comply with security regulations without needing to get an IT professional involved.
The easier it is for users to meet security standards, the more likely they are to keep their devices compliant — saving administrators a lot of headaches over time.
2FA relies on users to have a device with which to authenticate. If that smartphone or laptop is lost or stolen, there’s a heightened risk that unauthorized entities will be able to access your important data. So, generally, users should be aware of their devices’ locations at all times, and they should be cautious about letting others use their devices.
That’s not a security guarantee, though — we’ve all lost (or thought we lost) a device or two somewhere along the road. It happens. Fortunately, 2FA technology can actually make it easier to protect the information to which those devices have access. Security solutions that install directly onto users’ devices (MDMs, etc.) can often lock or shut down devices remotely, protecting mission-critical information even when a user doesn’t physically have their device with them. Duo works similarly, but it doesn’t require installation of any additional drivers or software. Users can easily self-enroll in 2FA via an app on their devices, so no matter where in the world they travel or what technology they use, your information stays secure.
A user access policy is a specific set of rules that determine whether or not a user can access an application. For example, your company might have a policy that only users with a certain level of security clearance can access mission-critical information. A good 2FA solution will allow administrators to set these rules granularly, ensuring that only the right people, with the right devices and the right credentials, are accessing each individual application.
The ultimate goal of a user access policy should be to grant access to as few users as possible. This means thinking critically about very general authorization parameters. It’s likely that some applications will require more stringent protection than others, and that some devices will be more trustworthy than others — so access policies should take these factors into account. For example, applications that contain sensitive personal information may require a user to have both the correct security clearance and have their device firewall enabled. In contrast, collaboration tools like calendars may be accessible to more users and may not require that users' devices meet such specific criteria.
The premise of adaptive authentication is that users circumstances are constantly changing — they move between networks, they change their device settings, they require additional application access, etc. — so authentication rules should constantly be adjusting to keep up.
A good adaptive authentication solution will allow users to set risk-based access policies over several dimensions:
Because adaptive authentication is only becoming more and more important, Duo makes it easy to set and monitor security policies based on any of these dimensions — and with Duo’s intuitive administrator dashboard, administrators can do it all from a single, central control panel. Duo also integrates with existing technology, like Active Directory or Azure-AD, and can leverage them to apply policy at a group level.
With a good adaptive authentication solution, yes! And as the security industry evolves, it becomes ever more important to do so. Remember, the goal of a security policy is to limit access to as few people as possible — and that concept applies at the application level, too. To truly reduce the possibility of a breach, each user should be able to authenticate to as few applications as possible, and their level of access should be based on the information they need to access.
In most cases, 2FA should work exactly the same way when you are traveling, as it would when you are at home. You enter your password, validate the login attempt with your push notification, and hit accept. There are two situations when two factor authentication won’t work when traveling, however:
First, you will not be able to receive push notifications if you lose cell or wifi connection while traveling. Some wireless carriers may not have service in the area you are visiting, so be sure to confirm so before you travel.
The second issue that may cause 2FA to not work while traveling is if you lose your phone. Even with your password and username, you will be locked out of applications if you cannot receive a push notification with your phone.
The zero-trust approach to security posits that location-based trust is no longer enough to prevent unauthorized access to applications and information. The traditional “perimeter,” defined by known networks and environments, is being negated by BYOD and remote work — in the modern workplace, employees expect some freedom to work from different locations and use the devices they’re most comfortable with. The zero trust model addresses these potential security issues by establishing trust for every access request — regardless of location. It enforces adaptive controls, and continuously verifies trust. Trust levels are dynamic and change to adapt to your evolving business. This approach can help prevent unauthorized access, contain breaches and reduce the risk of an attacker's lateral movement.
At Duo, we help businesses secure their workforces using a zero trust approach. This model can seem complex, because it up-ends traditional perimeter based security — but achieving zero trust can be done in just 5 steps:
For more on zero trust and how this approach can enable a more secure workforce, visit our zero trust page.
Get to know the numbers: 2FA technology exists to protect against the growing threat of cybersecurity breaches worldwide. According to a study by the University of Maryland, there is a hacking attack every 39 seconds. Knowing the how and why 2FA can impact your business is an important first step.
Work with stakeholders: Adopting two factor authentication requires buy-in from the entire company, but the decisions are often made by a select group. This group can be comprised by executives, your security team, your IT team, and anybody else who has a say in the adoption process. Understand who the important stakeholders are and work with them to magnify your impact.
Communicate the risks and benefits: once you know who needs to be on board with your adoption plan, frame the issue in terms that are important to each member. The company’s CEO will have different priorities than the head of IT, for example. Knowing what is important to each stakeholder will go a long way in seeing your 2FA adoption through.
Understand the logistics: Rolling out a complete 2FA adoption will take time and involve some logistical challenges. Keeping your end goal in mind while navigating the process will help you see the adoption process through. Are your employees hesitant to download the 2FA app? Is your security team bogged down with work? Be sure to understand the potential roadblocks on your way to 2FA adoption.
2FA technology has helped companies across many industries secure their user endpoints. Take a look at our extensive case study page to see how.
Help your users get up and running with Duo.
Two-factor authentication is simple to set up. There are seven simple steps to going live with 2FA.
Read our Guide to Two-Factor Authentication Enrollment to get started.
Yes, admins can disable any authentication method for users or administrators. For example, since NIST recommends SMS 2FA deprecation, some may not want to allow end users to authenticate via SMS.
In the Policies section of the Duo Admin Panel, you can choose the authentication methods from the global, application, and group policy level. More information is available in our documentation.
For all application integrations, Duo uses HOTP, or HMAC-based one-time password (OTP) to generate passcodes for authentication.
Duo Mobile allows users to generate event-based passcodes that are valid until they have been used. Duo also supports the use of most HOTP-compatible hardware tokens for two-factor authentication.
Read more about 2FA basics.
Duo Mobile's restore functionality lets you back up Duo-protected accounts and third-party OTP accounts (such as Google or Facebook) for recovery to the same device or to a new device. You can use this back up functionality to recover your account.
Please reference our docs section for information regarding our minimum system requirements.
Android: the current version of Duo Mobile supports Android 7.0 and greater. Duo recommends upgrading to the most recent version of Android available for your device. We cannot ensure compatibility of Duo Mobile with custom variants or distributions of Android.
iPhone: The current version of Duo Mobile supports iOS 11.0 and greater. Support for older Duo Mobile versions on iOS 10.0 ended July 28, 2019.
If you do not recognize the location shown by your 2FA push notification, do not click allow. If you do, the potentially malicious login attempt will have access to your account. If you suspect anything, deny the login attempt and speak with your organization’s system administrator.
Yes, you can set up 2FA on multiple devices. You can also use a landline or tablet, or ask your administrator for a hardware token. Duo lets you link multiple devices to your account, so you can use your mobile phone and a landline, a landline and a hardware token, two different mobile devices, etc.
Please reference the managing devices section of our guide.
Please reference the managing devices section of our guide.