Skip navigation

What is Two-Factor Authentication?

A second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password.

What is two-factor authentication?

Two-factor authentication provides a second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password.

The factors may include:

Something you know

a unique username and password

Something you have

a smartphone with an app to approve authentication requests

Something you are

biometrics - like your fingerprint or a retina scan

By choosing two different channels of authentication, you can protect user logins from remote attacks that may exploit stolen credentials.

For example, your first factor may be your password, while your second factor is sent via a push notification generated by an authentication mobile app on your smartphone that you must approve.

iphone and iwatch showing duo push authentication

Why two-factor authentication?

Two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential exploitation and other attempts to takeover your accounts.

Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc.

Login credentials are more valuable than ever, as companies adopt more remote workers and web-based applications.

By integrating two-factor authentication with these remote access applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.

 
Over 95% of attacks involve harvesting credentials from customer devices, then logging into web applications with them. — Source “Verizon 2015 Data Breach Investigations Report”

How it works: two-factor methods

Depending on your solution, you may have several authentication methods available to you - two factor is so much more than just passcodes! Each has their own advantages, disadvantages and particular use in different scenarios.

Hardware Tokens

With a hardware token, you can press a button on a small device programmed to generate a new passcode that you can type into your two-factor prompt.

However, tokens can get out of sync if the button is pressed too many times consecutively and the passcodes aren’t used for login. Plus, users have to carry around an extra device to authenticate.

SMS Passcodes

Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.

Push Notifications

With a two-factor authentication mobile app, you can receive push notifications on your smartphone for every authentication request.

The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.

Phone Callbacks

This method calls your phone and waits for you to pick up and press any key to authenticate before granting you access to your account.

Mobile Passcodes

Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.

Wearable

With a two-factor authentication mobile app, you can receive push notifications on your smartphone for every authentication request.

The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.

What is Out-of-Band Authentication (OOBA)?

And Why Does it Matter?

This refers to conducting two-factor authentication over a different, separated network or channel than the primary network or channel.

So, let’s say you use a username and password to complete the primary authentication - that’s sent over the Internet (primary network).

You’ll want to use a different channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.

Why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication - if delivered over the same channel.

Phone entry blocked for thief by two-factor authentication

Two-Factor Authentication Technology

The Initiative for Open Authentication (OATH) identifies standards for two-factor authentication. OATH introduced HOTP as the first open and freely available algorithm to generate event-based one-time passwords.

HOTP
Established as a standard in 2005.

Hash-based one-time passwords (HOTP), or HMAC (hashed message authentication code) one-time passwords refers to the algorithm that generates unique, event-based one-time passcodes to complete two-factor authentication. HOTP was established as a standard in 2005.

TOTP
Established as a standard in 2011.

Time-based one-time passwords, or TOTP is based off of HOTP, but adds a time-based element and must have a synchronized clock source in order to work properly. TOTP involves generating a temporary, unique passcode that only works for a certain amount of time, typically 30-60 seconds. After the time is up, the passcode will no longer work.

A user can generate and receive a passcode by using a hardware token, mobile app or via text message (SMS). After receiving the passcode, a user must type it in manually to authenticate for access. Some hardware devices, like a USB device, can generate and enter the password automatically for a user, such as a Yubikey.

U2F
Universal 2nd Factor (U2F) is an authentication standard based on public key cryptography for stronger authentication. It involves two components: an authenticator (a USB hardware device) and a server. A user can authenticate by simply tapping the device inserted into their computer’s USB drive.

U2F was created by the FIDO (Fast IDentity Online) Alliance, a nonprofit organized to address the lack of interoperability among strong authentication devices. Learn more about U2F specifications.

Evaluation Guide Book

Get the ultimate guide to assessing and comparing two-factor authentication solutions.

Discover key areas of difference between two-factor authentication solutions and gain insight on concrete criteria for evaluating technologies and vendors with Duo Security’s free two-factor evaluation guide.

Get the Guide