What is Two Factor Authentication (2FA)?

By Michael Spalter
June 2020

About the author

Michael Spalter

Michael Spalter

Michael Spalter has been a networking technician for over 30 years and has been the CEO of DrayTek in the UK since the company’s formation in 1997. He has written and lectured extensively on networking topics. If you’ve an idea for a blog or a topic you’d like explored, please get in touch with us.

What is 2FA and Why use it?

When you log onto a web site, server or service, you'll commonly use a username and a password.  The username may be your email address or otherwise easy to guess and is not 'secret' but the password should be complex and not possible to guess - the password is your secret factor.  A password may be compromised in many different ways; the most common being:

  • You share the password with other people deliberately
  • It's written down and it's found
  • Someone watches you type your password
  • Inadequate password ciphers at the host
  • You use the same password for more than one service
  • You use a weak password which can be guessed

The purpose of Two Factor Authentication is to introduce a second 'factor' (another secret) in addition to the password to verify your identity. Importantly, the second factor is of a different type to the first - it's not just another password.  Your password is something you know. The second factor will normally be 'something you have' - for example a device which can generate a one-time code.  Only if you know your password AND have access to the device can you get access to the service.   

Using 2FA means that even if your password is compromised or guessed, someone still can't access your service or device.

Many public online services such as shopping sites, webmail providers and web hosting companies now allow optional two factor authentication. All banks have mandatory 2FA.

The use of a CAPTCHA system is not a method of 2FA: Whilst it requires the entry of a second piece of information, it is provided by the first, and doesn't use a different source. CAPTCHA is specifically only intended to block bots (automated systems).

Using 2FA

Most people now carry a smart phone so those phones are now the most common device to use for 2FA.  There are various systems in use, but common methods (apps) are MOTP, TOTP and Google Authenticator.  Banks, for a long time, have used their own proprietary chip-and-PIN keypads though many banks now use their own apps as an authenticator.

Alternatively, 2FA may send a one-time temporary code to you by email or SMS (text message). Whichever systems you use, they mostly provide you with a temporary code which you enter into the service you're accessing.  2FA tokens expire after a couple of minutes typically so that they cannot be reused or misused.

Note, in this article, we're referring to the most common types of 2FA that you might come across, so are generalising somewhat.

Enforced temporary 2FA

Even if you don't normally use 2FA for a service, the operators may temporarily force you to identify yourself via a second method, such as email or text message to an email address or phone number they already have.

This is a type of 2FA, but is temporary, typically triggered by the service operator's algorithms detecting unusual access - for example from a new computer, unusual geographic location etc.

Banks will commonly apply occasional 2FA when adding new payees or making unusual payments.

Using 2FA for your own services & devices

If you are running a public service, you may want to consider adopting 2FA either as an optional additional security measure for your users or, depending on the risk, sensitivity or potential for loss, mandate its use (as banks do).

You can also apply 2FA to your own devices, whether they are accessible from the Internet or not.  By doing so you, again, protect against the accidental disclosure of a password or theft of a password being useful to anyone else.

Some examples of devices or systems you may wish to protect are:

  • Router Admin Management - Someone with your router admin password can easily set up their own remote access or otherwise interfere with your network. Many routers will allow the user of 2FA to prevent a compromised password being useful.
  • Your web site back end. A compromised password for your web site back-end could enable someone to vandalise or take down your public web site, so 2FA should be considered.
  • VPN Access - Remote access to your network is obviously a sensitive service and with potentially many remote users or teleworkers, the possibility of someone letting their password be compromised is increased.  Consider using 2FA for VPN users.