Two-factor authentication (2FA) is an authentication method that provides an additional layer of security for user accounts, applications and networks. It is also known as two-step verification.
Unlike single-factor or password-based systems which only ask users for their username and password, 2FA requires the user to provide one more verification factor to log in to an account or system. The goal is to:
These factors could be any combination of:
Knowledge factors, i.e. something you know:
OTP code sent via SMS, email or voice call
Answer to a security question
Possession factors, i.e. something you have:
Hardware token or key fob
PKI (Public Key Infrastructure) certificate
Inherence factors, i.e. something you are. This is typically a biometric characteristic, such as a:
For decades, companies all over the world have used passwords to secure their systems and protect their data. But passwords are no longer enough to ensure security, which is why in one recent survey, 95% of respondents said that password-related risks caused them serious security concerns.
Hackers can easily steal or compromise passwords, more so because users often share them with other users or write them down in insecure or unsafe places. The average person in the U.S. also manages 130 accounts, so password reuse is another common problem.
2FA provides a protective measure against these challenges. In such systems, users must verify their identity using two authentication factors. The additional factor makes it harder for criminals to hack into an enterprise system, since they will need to steal the password and also get access to the second factor.
Moreover, when the attacker tries to spoof both authentication factors, it would trigger a security event to let the admin know of a suspicious login attempt. The admin can then take immediate action to prevent any further damage.
2FA offers numerous advantages over traditional password-based systems:
Passwords can be compromised in many ways. For example, most individuals choose easy-to-remember passwords like “123456,” “iloveyou,” or “password,” which bad actors can easily guess by using keylogger software or via brute force, dictionary, or rainbow attacks. They can then pretend to be the user and log in to their accounts to compromise their assets or data. Also, when users reuse passwords for several applications or accounts, an attacker who steals the password can compromise all these accounts in one go.
In 2020, over 80% of cyber breaches were caused by stolen passwords and 12% involved privilege misuse. 2FA makes it harder for attackers to get access to an account and its data. It can thus help prevent breaches and other password-related cybercrimes.
The average cost of a single data breach has increased from $3.86 million in 2020 to $4.24 million in 2021. The cost of a breach due to compromised credentials is even higher, at $4.37 million. 2FA can prevent breaches and thus help organizations save money.
They can save even more money by reducing the number of password reset requests. On average, between 20% to 50% of all helpdesk calls are for password resets, and each reset request costs organizations $70. These costs can add up over time. In 2FA systems, employees can securely reset their own passwords by using the additional authentication factor to verify their identity in a self-service password reset flow. Implementing a self-service password reset flow reduces the number of reset requests and saves money for the organization in the long run.
In 2020, phishing attacks accounted for 36% of data breaches. Such scams have also evolved over the years. While attackers still include malicious links or attachments in emails, they now also use new methods like polymorphic scams, malicious HTTPS sites, man-in-the-middle phishing attacks, and Phishing-as-a-Service.
2FA weakens an attacker’s phishing weapons. Even if a scammer can steal a user’s passwords through malicious emails, they cannot steal the other authentication factors which are not email-based, such as one-time passwords (OTPs) sent to a user’s mobile phone. This prevents the bad actor from compromising the user’s account.
If an attacker compromises a user’s password, the organization has very little time to prevent them from hacking the enterprise network. But with 2FA, even if a user loses their second factor such as a mobile device, security teams have some additional time to remedy the issue before the attacker can cause too much damage.
Due to the COVID-19 pandemic, millions of employees now work remotely. This enables organizations to maintain business continuity. However, it can also create security gaps. Many employees use insecure devices and open WiFi networks to access enterprise resources. This allows attackers to gain access to these resources, particularly if they are password-based.
With 2FA, employees can safely access company networks, applications, documents, data, and other resources from virtually any device and any location. This helps increase their productivity without risking the company’s security.
Customers want to protect their online accounts and data, particularly accounts that involve financial transactions such as banks or eCommerce websites. For this, they expect websites to provide 2FA, and would usually choose a business that provides 2FA over one that doesn't. For this reason, 2FA is critical for any organization that serves end users.
OneLogin offers a straightforward cloud-based 2FA service. When using this service, the user is first authenticated using a username and password. OneLogin looks up the user to verify their credentials. If additional authentication factors are required, it prompts the user to enter them on the login page.
All the user has to do is press the YubiKey button, which will send the generated OTP straight to the input field in the browser, eliminating the need for cumbersome and error-prone typing. OneLogin then validates that: