Skip navigation

What is Two-Factor Authentication?

A second layer of security to your login, in addition to your password.


What is two-factor authentication?

Two-factor authentication strengthens your login security by requiring two methods, or factors, to verify your identity.

The factors may include:

Something you know

a unique username and password

Something you have

a smartphone app to approve authentication requests

Something you are

your fingerprint or a retina scan

With two different methods, you can protect logins from remote attackers exploiting stolen or weak credentials.

iphone and iwatch showing duo push authentication

Why two-factor authentication?

Two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential exploitation and other attempts to takeover your accounts.

Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc.

Login credentials are more valuable than ever, as companies adopt more remote workers and web-based applications.

By integrating two-factor authentication with these applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.

Over 95% of attacks involve harvesting credentials from customer devices, then logging into web applications with them. -- Source "Verizon 2015 Data Breach Investigations Report"

How it works: two-factor authentication methods

Depending on your solution, you may have several two-factor authentication methods available to you - two factor is so much more than just passcodes! Each has their own advantages, disadvantages and particular use in different scenarios.

Push Notifications

With a two-factor authentication mobile app, you can receive push notifications on your smartphone or wearable for every authentication request.

The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.

Hardware Tokens

With a hardware token, you can press a button on a small device programmed to generate a new passcode that you can type into your two-factor prompt.

However, tokens can get out of sync if the button is pressed too many times consecutively and the passcodes aren’t used for login. Plus, users have to carry around an extra device to authenticate.

SMS Passcodes

Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.

Phone Callbacks

This method calls your phone and waits for you to pick up and press any key to authenticate before granting you access to your account.

Mobile Passcodes

Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.

What is Out-of-Band Authentication (OOBA)?

And Why Does it Matter?

This refers to conducting two-factor authentication over a different, separated network or channel than the primary network or channel.

So, let’s say you use a username and password to complete the primary authentication - that’s sent over the Internet (primary network).

You’ll want to use a different channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.

Why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication - if delivered over the same channel.

Phone entry blocked for thief by two-factor authentication

Two-Factor Authentication Technology

The Initiative for Open Authentication (OATH) identifies standards for two-factor authentication. OATH introduced HOTP as the first open and freely available algorithm to generate event-based one-time passwords.

HOTP Established as a standard in 2005.

Hash-based one-time passwords (HOTP), or HMAC (hashed message authentication code) one-time passwords refers to the algorithm that generates unique, event-based one-time passcodes to complete two-factor authentication. HOTP was established as a standard in 2005.

TOTP Established as a standard in 2011.

Time-based one-time passwords, or TOTP is based off of HOTP, but adds a time-based element and must have a synchronized clock source in order to work properly. TOTP involves generating a temporary, unique passcode that only works for a certain amount of time, typically 30-60 seconds. After the time is up, the passcode will no longer work.

A user can generate and receive a passcode by using a hardware token, mobile app or via text message (SMS). After receiving the passcode, a user must type it in manually to authenticate for access. Some hardware devices, like a USB device, can generate and enter the password automatically for a user, such as a Yubikey.

U2F Universal 2nd Factor (U2F) is an authentication standard based on public key cryptography for stronger authentication. It involves two components: an authenticator (a USB hardware device) and a server. A user can authenticate by simply tapping the device inserted into their computer’s USB drive.

U2F was created by the FIDO (Fast IDentity Online) Alliance, a nonprofit organized to address the lack of interoperability among strong authentication devices. Learn more about U2F specifications.

Evaluation Guide Book

Get the ultimate guide to assessing and comparing two-factor authentication solutions.

Discover key areas of difference between two-factor authentication solutions and gain insight on concrete criteria for evaluating technologies and vendors with Duo Security’s free two-factor evaluation guide.

Get the Guide