You’ve likely heard a thing—or two (ba dum tss!)—about two-factor authentication, or 2FA. After all, it’s become a bit of a hot topic recently as the nature and number of security breaches has evolved.
Compromised user data regularly surfaces on the dark web, giving malicious actors access to your password(s) for a couple bucks. That’s why passwords just don’t cut it as your only security effort anymore—and that’s where 2FA comes in.
What is 2FA and why is it important?
Simply put, 2FA requires a user to identify themselves in two ways—or using two different methods—before allowing them to access an account or a specific resource.
Adding a second factor makes it far more difficult for anyone who only has a password to actually access your account. Typically, the second factor is something that’s a challenge to reproduce and compromise, and it’s not usually part of the data that’s been breached.
What are the different “factors” in 2FA?
The most common 2FA factors can be categorized in three easy-to-remember ways:
- Something you know. This is the one we’re most familiar with. It’s a password, a PIN, your mother’s maiden name, the name of your first pet. The possibilities for this category are pretty much endless.
- Something you have. We also see this one a lot. This factor can be something physical, like a USB key with specific keys on it, or it can be something digital, like a time-based one-time password or code—think Google Authenticator.
- Something you are. We’re starting to see this factor more and more, especially with the rise of biometrics. It’s what makes you unique, and it’s something you definitely shouldn’t share with someone else—it’s a fingerprint, your voice, or even your face.
It’s important to note that in order for a combination of factors to qualify as true 2FA, the factors have to come from two separate categories. When thinking about 2FA, the combo of a password and a security question likely comes to mind. But it isn’t actually 2FA, since there’s only one “factor,” and it’s something you know.
It’s not just a computer thing either. Think about your credit card. It’s something you have (the card itself), and it’s something you know (now, your PIN… previously, your signature).
Or think about your entry card into the office. I have an RFID tag that allows me into my office, and in some environments the RFID tag is not enough—you still have to enter a PIN into a keypad to gain entry as a second factor.
What are the different types of 2FA?
So what does qualify as 2FA? If your 2FA process combines what you know and have, know and are, or have and are, it likely counts. Let’s take a look at some common combos:
- A password and token. This is the 2FA type we’re most used to. In the past, we saw hard tokens such as RSA’s SecurID, but now we typically see a “soft” token such as a TOTP (time-based one time password) six-digit code on a phone.
- A password and mobile push. Under this type of 2FA, an event is “pushed” to a mobile phone (or a smartwatch) after a user enters in a password. This allows the user to simply acknowledge that they have their phone, verify it’s them, and save them from having to put in any codes. We have phones on us 24/7, so why not use them?
- A password and biometric. My MacBook allows me to use my fingerprint to log in instead of a password. This isn’t 2FA. But, if I needed both my password and the fingerprint, I’d have 2FA with “something I know” and “something I am.”
- A biometric and connected token. You may have noticed a theme throughout this list, but sometimes 2FA doesn’t even require a password. We’re most familiar with the “something you know,” but you could easily build two-factor authentication with “something you have” like a USB key and “something you are” like a fingerprint.
If your 2FA process uses two separate factors, it only needs to check one more box to be considered “good”: It needs to be simple! You don’t want to inconvenience users with a complicated authentication process or disrupt the user experience. It has to be easy if you want adoption.
How can I set up 2FA?
Luckily you don’t have to reinvent the wheel to set 2FA up for most of your clients or their employees. Most applications you use will support 2FA out of the box—business productivity platforms like Office 365 and G Suite include multiple 2FA options, as do most other cloud applications. If you have legacy on-premises applications, they may be less likely to support 2FA, but there are still lots that do—just check your vendor documentation.