What is Two-Factor Authentication and How Does It Work?

Gone are the days when using passwords is sufficient in safeguarding your online accounts. Protecting your online account corresponds to securing your identity. That is why you should be mindful to ensure your identity is safe from theft. It is bad enough when you forget your password. Worse case, you can wake up one day only to realize someone has pretended to be you, using your identifying credentials engaging in fraudulent acts. In order to avoid this kind of nightmare, a better, and stronger authentication method is needed; enter Two-Factor Authentication.

How Does It Work?

To understand how two-factor authentication works, we thought it would be appropriate to define some of the crucial terms first before we get into the details:

  • In a nutshell, authentication is a means by which to validate a user’s identity online. 
  • Factor, on the other hand, are the elements that influence authentication. These components fall into three groups namely:
    • Knowledge: Something you know, like a password, PIN, or security question answers
    • Possession: Something you have, like a mobile phone with OTP (one-time password) apps
    • Inherence: Something you are, like fingerprint scans, voice recognition, or facial recognition

Two-Factor Authentication (commonly known as 2FA) is an extra layer of security to your account login by requiring a combination of two distinct factors from any of the three categories mentioned above. Usually, it is a fusion with something you know and something you have. A simple example to show this is when you withdraw money from an ATM. You insert your bank card (what you have) in the ATM, then enter your pin code (what you know).

Note, however, using two knowledge factors like a password and a PIN is not considered two-factor authentication. Instead, it is a two-step authentication because both factors used fall under the knowledge factor category.

Let‘s break down the 2FA process in this example:

  1. Initiate login to a website. It prompts you to enter your credentials.
  2. Provide your username and password (what you know), which is the first factor in 2FA.
  3. After filling in your username and password, the website’s server finds and validates your identity.
  4. It then proceeds to the second authentication factor, like something you have, such as your mobile phone.
  5. You can either approve the push notifications sent to your phone or enter the generated time-based one-time passcode from your phone to complete the two-factor authentication process.
  6. Once you finish both steps in authentication, you can already access your account.

Methods of Two-Factor Authentication

These are the few commonly supported approaches for employing 2FA to your accounts based on security and convenience considerations.

  • SMS Text Messages

    Most services allow you to use your usual text messages when setting up 2FA. When prompted during login, simply enter the confirmation code you received from your mobile device.

  • Authentication Apps

    Some services allow you to receive your temporary login code from a mobile app, such as Authy, Duo Mobile, Google Authenticator, etc. Compared to SMS, using authenticator apps is a much secure option because it does not require internet access or mobile phone service for it to work. Just ensure you are entering authenticator codes on legitimate websites.

  • Security Keys

    A security key is a USB device you can use to authenticate into your account. Instead of entering a code when prompted to provide your 2FA credentials during login, you can insert your security key then tap it. Also, it’s immune to phishing. Malicious sites are incapable of intercepting information from security keys, making them a better option than authenticator apps. However, it’s not as widely available because only a few services and widely used browsers support it.

Today, online banking, social media, and e-commerce websites employ 2FA to restrict access to the more sensitive areas of your account, where personal data are stored. Likewise, it enables the workforce to perform tasks remotely with far fewer security concerns, particularly during this pandemic.

In Summary …

Passwords are not going away anytime soon, so securing your online accounts and identity has never been so important. Using a Password Manager that not only supports two-factor authentication, but also provides enhanced security features (such as keystroke encryption that protects everything you type from being read by cybercriminals; and secure browser that keeps you safe when doing online transaction) goes a long way in preventing unauthorized access to your account and evading identity theft.