What is Two-factor Authentication (2FA)
When a user login to an application or service, the user must prove its identity, that the user is who he or she claims to be. This commonly described as the user authenticate itself.
With Two-factor Authentication, shortened as 2FA, this normally means that the user authenticates with two out of three available factors.
The factors are:
- Something you know – a username and password.
- Something you have – a physical token.
- Something you are – biometrics, e.g. fingerprints or eye scanning.
If a user can combine two of these factors, that’s defined as Two-factor Authentication. Also written as 2-factor Authentication, 2FA or strong authentication.
Two-factor Authentication with One-Time Password
The most common scenario of 2FA is where a user first states its username and password then followed by stating a One-Time Password, shortened as OTP. When the OTP is generated by a physical token, this acts as a proof that the user “have” a second factor.
This also commonly referred to as 2-step Authentication, especially in consumer oriented services.
The classic hardware token is often today replaced by a software token running on a smartphone generating the OTP, or sent to a smartphone as a SMS. The smartphone then act as the “something you have” factor. There are pros and cons with different token options and Pointsharp support a wide range of different OTP tokens.
Two-factor Authentication with a Login App
Today with smartphones being online there are more convenient ways of achieving 2FA without the need of entering a One-Time Password every time a user login. A user can have a Login App installed on the smartphone that every time the user login to an application, the user get a notification and just need to push a confirmation button. Makes it very easy for the end-user and still provide secure login using 2FA. Another benefit of using a Login App is that it can be customized and companay branded with logo and information how to access helpdesk when in need of support.
The strength of the different factors
It’s easy when talking about three different factors to assume that they are equally secure. But factors can differ in strength, be both weak and strong. It’s the combination of factors that are most important.
If one factor is weaker that could be compensated by a stronger second factor. In practice with a 2FA solution users can have an easier password to remember and it’s still secure because it’s combined with a second factor.
The difference in security strength is very big between a password of 7 characters like “Summer05” and one with 15 mixed character like “u4fM#ksV!32u%bD”.
A dedicated hardware token only capable of generating One-Time Password and nothing else could be more secure than a One-Time Password sent as a SMS on unknown networks to an unprotected smartphone. At the same time a hardware token only used once a month could be less secure compared to a smartphone solution as a user might not discover that the token is lost if used very seldom. There are many options of OTP Tokens.
Secure in one way as it’s unique to the user and very convenient to user when e.g. unlocking access to a device with fingerprints or Iris scanning. But compared to passwords, a fingerprint cannot be changed if it’s compromised. Biometrics can be considered compromised as users travelling to countries with requirement to provide fingerprints and detailed photo’s with face and Iris exposed.
Why do I need Two-factor Authentication?
When a user login to an application the user also get access to information that might be sensitive if it leaks outside the organization. The user also performs actions in the application that for legal or compliance reasons need to be traceable for later auditing.
If a user only login with a username and password, that’s a weak authentication as it’s only one factor. The password can easily be hacked, and if it is, the user doesn’t even know about it and a hacker can continuously retrieve sensitive information and perform non-approved actions.
To protect the user access to applications and from company data-leakage, it’s important to implement a 2FA solution. With a 2FA solution, user’s identities can also be trusted when auditing actions within an application.
Other authentication technologies
2FA solutions has steadily been growing over the years and considered the common approach to protect access to applications and achieve trusted user identities. But there are other approaches which are more fit in a world where users are accessing applications from many different devices. Especially mobile applications are good examples where users normally don’t login and logout after a certain amount of time. The users’ login and stay online 24/7, best example would be mobile email and mobile UC applications.
A more modern approach of securing the login of users, is to combine many different factors or attributes, and do that in different point of the time-line of a user interacting with an application. The factors can be of different strength but it’s the combination of the factors that build up the chain of security. This can be referred to as Multi-factor Authentication, shortened as MFA and used e.g. in working with Trusted Devices.
Read more about Trusted Devices.