Why Two-Factor Authentication (2FA)? | Duo Security

What is Two-Factor Authentication?

A second layer of security to any type of login, requiring extra information or a physical device to log in, in addition
to your password.

What is two-factor authentication?

Two-factor authentication provides a second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password.

The factors may include:

  • Something you know

    a unique username and password

  • Something you have

    a smartphone with an app to approve authentication requests

  • Something you are

    biometrics - like your fingerprint or a retina scan

By choosing two different channels of authentication, you can protect user logins from remote attacks that may exploit stolen credentials.

For example, your first factor may be your password, while your second factor is sent via a push notification generated by an authentication mobile app on your smartphone that you must approve.

Why two-factor authentication?

Two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential exploitation and other attempts to takeover your accounts.

Without your physical device, remote attackers can’t pretend to be you in order to gain unauthorized access to corporate networks, cloud storage, financial information, etc.

  • Verizon’s Data Breach Investigations Report (DBIR) found that 95 percent of breaches involve the exploitation of stolen credentials. Many recent high-profile breaches can be traced back to stolen passwords, either from third-party vendors or from corporate employees.

Login credentials are more valuable than ever, as companies adopt more remote workers and web-based applications.

By integrating two-factor authentication with these remote access applications, attackers are unable to access your accounts without possessing your physical device needed to complete the second factor.

Hardware Tokens

With a hardware token, you can press a button on a small device programmed to generate a new passcode that you can type into your two-factor prompt.

However, tokens can get out of sync if the button is pressed too many times consecutively and the passcodes aren’t used for login. Plus, users have to carry around an extra device to authenticate.

Learn More

Phone Callbacks

This method calls your phone and waits for you to pick up and press any key to authenticate before granting you access to your account.

SMS Passcodes

With a batch of passcodes sent via SMS, you can type them into the prompt to authenticate.

Mobile Passcodes

Similar to SMS, a two-factor authentication app can generate new, unique passcodes for you to type into the two-factor prompt.

Push Notifications

With a two-factor authentication mobile app, you can receive push notifications on your smartphone for every authentication request.

The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.

Learn More

Wearable

With a two-factor authentication mobile app, you can receive push notifications on your smartphone for every authentication request.

The notification may include information about the request, including location, IP address and application, giving users the data they need to approve or deny the authentication request.

Learn More

How it works: two-factor methods

Depending on your solution, you may have several authentication methods available to you - two factor is so much more than just passcodes! Each has their own advantages, disadvantages and particular use in different scenarios.

  • Hardware Tokens

    Touching a physical device

  • Phone Callbacks

    A phone call and a button press

  • SMS Passcodes

    Passcode via text message

  • Mobile Passcodes

    Passcode via two-factor app

  • Push Notifications

    A push to your mobile device

  • Wearable

    Passcode/Push/SMS via wearable device

What is Out-of-Band Authentication (OOBA)?
And Why Does it Matter?

This refers to conducting two-factor authentication over a different, separated network or channel than the primary network or channel.

So, let’s say you use a username and password to complete the primary authentication - that’s sent over the Internet (primary network).

You’ll want to use a different channel to complete your second factor. Approving a push notification sent over your mobile network is an example of out-of-band authentication.

Why does it matter? If a remote attacker is able to tap into your computer via your Internet connection, they can steal your password, and your second form of authentication - if delivered over the same channel.

Two-Factor Authentication Technology

The Initiative for Open Authentication (OATH) identifies standards for two-factor authentication. OATH introduced HOTP as the first open and freely available algorithm to generate event-based one-time passwords.

HOTP

Established as a standard in 2005.

Hash-based one-time passwords (HOTP), or HMAC (hashed message authentication code) one-time passwords refers to the algorithm that generates unique, event-based one-time passcodes to complete two-factor authentication. HOTP was established as a standard in 2005.

TOTP

Established as a standard in 2011.

Time-based one-time passwords, or TOTP is based off of HOTP, but adds a time-based element and must have a synchronized clock source in order to work properly. TOTP involves generating a temporary, unique passcode that only works for a certain amount of time, typically 30-60 seconds. After the time is up, the passcode will no longer work.

A user can generate and receive a passcode by using a hardware token, mobile app or via text message (SMS). After receiving the passcode, a user must type it in manually to authenticate for access. Some hardware devices, like a USB device, can generate and enter the password automatically for a user, such as a Yubikey.

U2F

Universal 2nd Factor (U2F) is an authentication standard based on public key cryptography for stronger authentication. It involves two components: an authenticator (a USB hardware device) and a server. A user can authenticate by simply tapping the device inserted into their computer’s USB drive.

U2F was created by the FIDO (Fast IDentity Online) Alliance, a nonprofit organized to address the lack of interoperability among strong authentication devices. Learn more about U2F specifications.

Get the ultimate guide to assessing and comparing two-factor authentication solutions.

Discover key areas of difference between two-factor authentication solutions and gain insight on concrete criteria for evaluating technologies and vendors with Duo Security’s free two-factor evaluation guide.

Get the Guide or View More Resources