Two-factor authentication strengthens your login security by requiring two methods, or factors, to verify your identity.
The factors may include:
a unique username and password
a smartphone app to approve authentication requests
your fingerprint or a retina scan
With two different methods, you can protect logins from remote attackers exploiting stolen or weak credentials.
Two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential exploitation and other attempts to takeover your accounts.
Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc.
Login credentials are more valuable than ever, as companies adopt more remote workers and web-based applications.
By integrating two-factor authentication with these applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.
Over 95% of attacks involve harvesting credentials from customer devices, then logging into web applications with them. — Source “Verizon 2015 Data Breach Investigations Report”
Depending on your solution, you may have several two-factor authentication methods available to you - two factor is so much more than just passcodes! Each has their own advantages, disadvantages and particular use in different scenarios.
With a two-factor authentication mobile app, you can receive push notifications on your smartphone or wearable for every authentication request.
The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.
With a hardware token, you can press a button on a small device programmed to generate a new passcode that you can type into your two-factor prompt.
However, tokens can get out of sync if the button is pressed too many times consecutively and the passcodes aren’t used for login. Plus, users have to carry around an extra device to authenticate.
Receive passcodes on your phone by text message, and authenticate by typing them into your secondary login prompt.
This method calls your phone and waits for you to pick up and press any key to authenticate before granting you access to your account.
Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.
This refers to conducting two-factor authentication over a different, separated network or channel than the primary network or channel.
So, let’s say you use a username and password to complete the primary authentication - that’s sent over the Internet (primary network).
You’ll want to use a different channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.
Why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication - if delivered over the same channel.
Established as a standard in 2005.
Hash-based one-time passwords (HOTP), or HMAC (hashed message authentication code) one-time passwords refers to the algorithm that generates unique, event-based one-time passcodes to complete two-factor authentication. HOTP was established as a standard in 2005.
Established as a standard in 2011.
Time-based one-time passwords, or TOTP is based off of HOTP, but adds a time-based element and must have a synchronized clock source in order to work properly. TOTP involves generating a temporary, unique passcode that only works for a certain amount of time, typically 30-60 seconds. After the time is up, the passcode will no longer work.
A user can generate and receive a passcode by using a hardware token, mobile app or via text message (SMS). After receiving the passcode, a user must type it in manually to authenticate for access. Some hardware devices, like a USB device, can generate and enter the password automatically for a user, such as a Yubikey.
Universal 2nd Factor (U2F) is an authentication standard based on public key cryptography for stronger authentication. It involves two components: an authenticator (a USB hardware device) and a server. A user can authenticate by simply tapping the device inserted into their computer’s USB drive.
U2F was created by the FIDO (Fast IDentity Online) Alliance, a nonprofit organized to address the lack of interoperability among strong authentication devices. Learn more about U2F specifications.
Discover key areas of difference between two-factor authentication solutions and gain insight on concrete criteria for evaluating technologies and vendors with Duo Security’s free two-factor evaluation guide.Get the Guide