For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

Two-Factor Authentication (2FA)

What is 2FA and How It Works.

Without controlling cloud application access, organizations are at risk of a security breach. Attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Implementing 2FA software solutions across users thwarts attacks and protects corporate data.

Two-Factor Authentication (2FA)

What is Two-Factor Authentication?

Two-Factor Authentication products add an additional layer of security. Typically, users are asked to prove their identity by providing simple credentials such as an email address and a password. A second factor (2F) adds an extra layer of unauthorized access protection by prompting the user to provide an additional means of authentication such as a physical token (e.g. a card) or an additional secret that only they know.

US Federal regulators recognize the following authentication factor options:

Something you know - a password or PIN code

Something you have - a smart card, USB key, PKI (Public Key Infrastructure) certificate or mobile phone

Something you are - a biometric characteristic, e.g. fingerprint or voice pattern


  • Browser PKI certificates
  • RSA SecurID
  • Symantec VIP Access
  • Yubico Yubikey (USB-key)
  • Google Authenticator


The easy of use of OneLogin and the YubiKey make them a perfect match. Customers benefit from a highly secure single sign-on solution to thousands of web applications without compromising security.



As enterprises begin moving more and more sensitive data into the cloud and rapidly adopting Software-as-a-Service, organizations are more focused than ever on security. By leveraging RSA SecurID technology and OneLogin, organizations can help increase security and decrease the potential for unauthorized access to sensitive applications and data.

Stu Vaeth Strategic Technology Alliances

How is 2FA More Secure?

An additional authentication factor prevents someone from signing into your account, even if they know your password. Although you may think your password is safe, it can be compromised in a number of ways: Most individuals choose an easy-to-remember password and reuse it for several applications – those who know you can easily guess a pet’s name, a birthplace or an important date; Someone looking over your shoulder can decipher your password; Finally, a more sophisticated technique that can compromise your login credentials is a key logger that records all keystrokes and sends them to a third party.

If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know your credentials and be in possession of your USB token in order to sign into your account. Without being in possession of both, any unauthorized access would fail and also trigger a security event to let the admin know of a suspicious login attempt.

Authentication can be made even stronger by combining additional factors to achieve multi-factor authentication (MFA); you can add a PKI certificate in your browser or prompt the user for additional secrets. Or you can use OneLogin Desktop to increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device, in effect multi-factor authentication for all application access.

For even more security, consider adding Adaptive Authentication, which leverages machine learning to apply an extra layer of intelligence to protect identities.

Strong Authentication Factors

There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples:

One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Even if someone manages to steal your password, it cannot be used to login successfully without the OTP. OneLogin provides free OTP functionality included with our solution to increase security, especially for remote access.

Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30-60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time.

Digital (PKI) certificates – a digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in.

Authentication Process

Authentication Process

OneLogin’s cloud-based two-factor authentication service process is straightforward. The user is first authenticated using a username and password. OneLogin looks up the user and if additional authentication factors are required, the user will be prompted to enter them on the login page.

All the user has to do is press the YubiKey button, which will send the generated one-time password straight to the input field in the browser, eliminating cumbersome and error-prone typing. OneLogin then validates that a) the YubiKey does belong to the user accessing the account and b) the code entered has not been used previously..

Yubico’s sleek USB key works with Windows, Mac and Linux without any client software required. By pressing the button on the key, a unique one-time password is generated and automatically entered in the browser.

Symantec VIP Access is supported on hundreds of mobile phones, including iPhone, Android, Windows Mobile and Blackberry. Every 30 seconds a new 6-digit PIN is generated, which is valid for only one minute.

Secure all your apps, users, and devices