Two-factor authentication

Edit · View history

Two-factor authentication (often abbreviated as 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two distinct types of evidence (or factors) to an authentication mechanism. The three classic categories of factors are: something the user knows (knowledge factor, e.g., a password), something the user has (possession factor, e.g., a security token or smartphone), and something the user is (inherence factor, e.g., a biometrics scan). Two-factor authentication adds an extra layer of security beyond a simple password, making it harder for unauthorised parties to access accounts even if the password is compromised.

History

The concept of multi-factor authentication predates the digital era, with dual verification used in physical bank vaults (e.g., a key and a combination). In the late 1990s and early 2000s, hardware security tokens such as the RSA SecurID became widespread for corporate remote access. The rise of online banking and e-commerce in the 2000s led to the adoption of one-time passwords sent via SMS as a second factor. Google introduced its own two-factor authentication system for consumer accounts in 2011. In the 2010s, the FIDO Alliance and WebAuthn standard promoted passwordless and two-factor methods based on public-key cryptography.

Methods

Common two-factor authentication methods include:

Security Considerations

Two-factor authentication significantly reduces the risk of account takeover via phishing, credential stuffing, and brute-force attacks. However, not all methods are equally secure. SMS-based codes are vulnerable to SIM swapping and interception. TOTP codes shared via authenticator apps are more resilient as long as the device is not compromised. Hardware security keys offer the highest level of resistance to phishing because they rely on cryptographic challenge-response and cannot be intercepted or duplicated easily.

Some implementations allow users to designate “trusted devices” to bypass 2FA, which can be a weakness if the device is later compromised. Backup codes or recovery methods should be stored securely. As of the 2020s, many online services encourage or mandate two-factor authentication, particularly for email accounts, social media, and financial platforms.

See also