What is two-factor authentication?

Cyber attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Every app is vulnerable. Without controlling cloud and on-prem application access, organizations are at risk of a security breach.

Two-factor authentication helps thwarts attacks and protect corporate data.

What is two-factor authentication?

Two-factor authentication (2FA) adds an additional layer of security when users login to apps. Without additional authentication, users are asked to prove their identity by providing simple credentials such as an email address and a password. With 2FA, they are asked for a second factor (2F), usually by prompting the user to provide information via a physical token (i.e. a card) or a security question whose answer only they know. US Federal regulations recognize the following authentication factor options:

How does 2FA make companies more secure?

Having an additional authentication factor prevents someone from signing into a user’s account—even if they know the user’s password. Other factors are needed because passwords, by themselves, just aren’t safe. They can be compromised in a number of ways:

• Most individuals choose an easy-to-remember password which is therefore easy to hack. For example, they use discoverable information such as a pet’s name, a birthplace, or an important date like their anniversary.
• Most individuals reuse the same password for several applications. So, once a cyber criminal gets the password, he or she has access to more than one application.
• Cyber criminals themselves use many different and increasingly sophisticated techniques to compromise login credentials.

That’s why more factors help. If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know the user’s credentials and be in possession of the USB token in order to sign into the user’s account. Without being in possession of both, any unauthorized access would fail and trigger a security event to let the admin know of a suspicious login attempt.

Authentication can be made even stronger by combining additional factors to achieve multi-factor authentication (MFA). Multi-factor authentication allows you to add factors like a PKI certificate in the user’s browser or require a mobile app for authentication. And products like OneLogin Desktop increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device.

Strong authentication factors

There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples:

• One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Even if someone manages to steal the password, it cannot be used to login successfully without the OTP.
• Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time.
• Digital (PKI) certificates – A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in.