Two-factor authentication
Two-factor authentication (often abbreviated as 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two distinct types of evidence (or factors) to an authentication mechanism. The three classic categories of factors are: something the user knows (knowledge factor, e.g., a password), something the user has (possession factor, e.g., a security token or smartphone), and something the user is (inherence factor, e.g., a biometrics scan). Two-factor authentication adds an extra layer of security beyond a simple password, making it harder for unauthorised parties to access accounts even if the password is compromised.
History
The concept of multi-factor authentication predates the digital era, with dual verification used in physical bank vaults (e.g., a key and a combination). In the late 1990s and early 2000s, hardware security tokens such as the RSA SecurID became widespread for corporate remote access. The rise of online banking and e-commerce in the 2000s led to the adoption of one-time passwords sent via SMS as a second factor. Google introduced its own two-factor authentication system for consumer accounts in 2011. In the 2010s, the FIDO Alliance and WebAuthn standard promoted passwordless and two-factor methods based on public-key cryptography.
Methods
Common two-factor authentication methods include:
- Time-based one-time password (TOTP) generated by an authenticator app (e.g., Google Authenticator, Authy) and entered manually
- SMS or voice call delivering a one-time code (SMS-based 2FA)
- Push notifications that require approval on a trusted mobile device
- Hardware security keys (e.g., YubiKey) that use Universal 2nd Factor (U2F) or FIDO2 protocols
- Biometric verification (fingerprint, facial recognition, iris scan) as a second factor alongside a password
- Physical one-time password tokens, such as RSA SecurID
Security Considerations
Two-factor authentication significantly reduces the risk of account takeover via phishing, credential stuffing, and brute-force attacks. However, not all methods are equally secure. SMS-based codes are vulnerable to SIM swapping and interception. TOTP codes shared via authenticator apps are more resilient as long as the device is not compromised. Hardware security keys offer the highest level of resistance to phishing because they rely on cryptographic challenge-response and cannot be intercepted or duplicated easily.
Some implementations allow users to designate “trusted devices” to bypass 2FA, which can be a weakness if the device is later compromised. Backup codes or recovery methods should be stored securely. As of the 2020s, many online services encourage or mandate two-factor authentication, particularly for email accounts, social media, and financial platforms.