What is Two-Factor Authentication in Identity & Access Management?
Two-factor authentication (2FA) is an authentication method that provides an additional layer of security for user accounts, applications and networks. It is also known as two-step verification.
Unlike single-factor or password-based systems which only ask users for their username and password, 2FA requires the user to provide one more verification factor to log in to an account or system. The goal is to:
- Verify that a user really is who they say they are
- Reduce the chances of unauthorized access, and
- Prevent data breaches and cyberattacks
How does 2FA work?
These factors could be any combination of:
Knowledge factors, i.e. something you know:
Password
PIN code
OTP code sent via SMS, email or voice call
Answer to a security question
Possession factors, i.e. something you have:
Smart card
USB key
Hardware token or key fob
Software token
PKI (Public Key Infrastructure) certificate
Inherence factors, i.e. something you are. This is typically a biometric characteristic, such as a:
Fingerprint
Iris print
Voice pattern
Typing habits
Why is 2FA more secure than password-only systems?
For decades, companies all over the world have used passwords to secure their systems and protect their data. But passwords are no longer enough to ensure security, which is why in one recent survey, 95% of respondents said that password-related risks caused them serious security concerns.
Hackers can easily steal or compromise passwords, more so because users often share them with other users or write them down in insecure or unsafe places. The average person in the U.S. also manages 130 accounts, so password reuse is another common problem.
2FA provides a protective measure against these challenges. In such systems, users must verify their identity using two authentication factors. The additional factor makes it harder for criminals to hack into an enterprise system, since they will need to steal the password and also get access to the second factor.
Moreover, when the attacker tries to spoof both authentication factors, it would trigger a security event to let the admin know of a suspicious login attempt. The admin can then take immediate action to prevent any further damage.
What are the benefits of 2FA?
2FA offers numerous advantages over traditional password-based systems:
Protects assets and data from password weaknesses
Passwords can be compromised in many ways. For example, most individuals choose easy-to-remember passwords like “123456,” “iloveyou,” or “password,” which bad actors can easily guess by using keylogger software or via brute force, dictionary, or rainbow attacks. They can then pretend to be the user and log in to their accounts to compromise their assets or data. Also, when users reuse passwords for several applications or accounts, an attacker who steals the password can compromise all these accounts in one go.
In 2020, over 80% of cyber breaches were caused by stolen passwords and 12% involved privilege misuse. 2FA makes it harder for attackers to get access to an account and its data. It can thus help prevent breaches and other password-related cybercrimes.
Saves money by preventing data breaches
The average cost of a single data breach has increased from $3.86 million in 2020 to $4.24 million in 2021. The cost of a breach due to compromised credentials is even higher, at $4.37 million. 2FA can prevent breaches and thus help organizations save money.
They can save even more money by reducing the number of password reset requests. On average, between 20% to 50% of all helpdesk calls are for password resets, and each reset request costs organizations $70. These costs can add up over time. In 2FA systems, employees can securely reset their own passwords by using the additional authentication factor to verify their identity in a self-service password reset flow. Implementing a self-service password reset flow reduces the number of reset requests and saves money for the organization in the long run.
Weakens phishing attacks
In 2020, phishing attacks accounted for 36% of data breaches. Such scams have also evolved over the years. While attackers still include malicious links or attachments in emails, they now also use new methods like polymorphic scams, malicious HTTPS sites, man-in-the-middle phishing attacks, and Phishing-as-a-Service.
2FA weakens an attacker’s phishing weapons. Even if a scammer can steal a user’s passwords through malicious emails, they cannot steal the other authentication factors which are not email-based, such as one-time passwords (OTPs) sent to a user’s mobile phone. This prevents the bad actor from compromising the user’s account.
Gives more time to address attacks
If an attacker compromises a user’s password, the organization has very little time to prevent them from hacking the enterprise network. But with 2FA, even if a user loses their second factor such as a mobile device, security teams have some additional time to remedy the issue before the attacker can cause too much damage.
Improves user productivity and security in remote settings
Due to the COVID-19 pandemic, millions of employees now work remotely. This enables organizations to maintain business continuity. However, it can also create security gaps. Many employees use insecure devices and open WiFi networks to access enterprise resources. This allows attackers to gain access to these resources, particularly if they are password-based.
With 2FA, employees can safely access company networks, applications, documents, data, and other resources from virtually any device and any location. This helps increase their productivity without risking the company’s security.
Meet customer expectations
Customers want to protect their online accounts and data, particularly accounts that involve financial transactions such as banks or eCommerce websites. For this, they expect websites to provide 2FA, and would usually choose a business that provides 2FA over one that doesn't. For this reason, 2FA is critical for any organization that serves end users.
Why is 2FA important for zero trust security?
2FA is a critical element of Zero Trust since it doesn’t accept a user as “safe by default.” Rather, it verifies that the user trying to access an account or data is who they say they are before granting them access. Thus, by integrating 2FA with their applications, organizations can prevent attackers from successfully compromising their accounts or data.
2FA simplified with OneLogin
OneLogin offers a straightforward cloud-based 2FA service. When using this service, the user is first authenticated using a username and password. OneLogin looks up the user to verify their credentials. If additional authentication factors are required, it prompts the user to enter them on the login page.
All the user has to do is press the YubiKey button, which will send the generated OTP straight to the input field in the browser, eliminating the need for cumbersome and error-prone typing. OneLogin then validates that:
- The YubiKey belongs to the authorized user accessing the account
- The code entered has not been used previously
What is the difference between 2FA and MFA?
Conclusion
Some prefer to adopt MFA to further strengthen their security with even more authentication factors. A modern MFA system like OneLogin provides “adaptive, policy-based MFA” to prevent unauthorized access, and shore up your IAM program.
You can choose either 2FA or MFA to protect your organization’s assets from bad actors. But regardless of your choice, both systems offer more robust and reliable security than single factor/password-based systems.