Two-Factor Authentication (2FA)

DEFINITION of 'Two-Factor Authentication (2FA)'

A second layer of security in addition to a password that a user must provide before being granted access to an account or system. Two-factor authentication, also called 2FA, helps users make their online accounts safer by requiring them to provide two information pieces such as a password or PIN, and something they have, such as an email account, ATM card or fingerprint, before they can log in. The first factor is the password; the second factor is the additional item.

BREAKING DOWN 'Two-Factor Authentication (2FA)'

Two-factor authentication (2FA) is supposed to prevent unauthorized users from gaining access to an account with nothing more than a stolen password. Users may be at greater risk of compromised passwords than they realize, especially if they use the same password on more than one website. Downloading software and clicking on links in emails can also expose one to password theft.

Despite the slight inconvenience of taking longer to log in to an account which many users dislike and complain about to their service providers, security experts recommend enabling 2FA wherever possible: email accounts, password managers, social media applications, cloud storage services, financial services, blogging platforms and more. Apple account holders, for example, can use 2FA to ensure that accounts can only be accessed from trusted devices. If a user tries to log in to her iCloud account from a different computer, she will need not just her password, but also a multi-digit code that Apple will send to one of her devices, such as her iPhone.

We usually think of online services when we think of 2FA, but 2FA is also at work when you have to enter your zip code before you can use your credit card at a gas pump and when you have to enter an authentication code from an RSA SecurID key fob to log in to your employer’s system from your laptop when you’re working remotely.

While two-factor authentication does improve security, it is not foolproof. Hackers who acquire the authentication factors can still gain unauthorized access to accounts. Common ways to do so include phishing attacks, account recovery procedures and malware. Hackers can also intercept text messages used in 2FA. Critics argue that text messages are not a true form of 2FA since they are not actually something the user already has but rather something the user has to be sent, and the sending process is vulnerable. Instead, they argue that this process should be called two-step verification, and some companies, such as Google, do use this term. Still, even two-step verification is more secure than password protection alone. Even stronger is multi-factor authentication which requires more than two factors before account access will be granted.