What is two-factor authentication?

Cybercrime is arguably the biggest threat affecting modern businesses. Half of British companies have experienced a cybersecurity incident over the past year, with large (74%) and medium (70%) firms being the most affected.

That’s according to the 2024 Cyber Security Breaches Survey from the UK Government, which also found that phishing attacks, email and online impersonation, and malware are the biggest cybersecurity threats faced by UK firms.

Two-factor authentication (2FA) adds an extra barrier of entry for any third party attempting to access your account.

Requiring users to complete a second round of authentication after entering a password, whether by entering a code sent via text message or email or by using an authenticator app, adds a far more robust protective layer. While it may seem arduous to jump through these hoops, the benefits of having them in place are untold.

What is the difference between 2FA and MFA?

Two-factor authentication (2FA) is a form of multi-factor authentication (MFA) designed to add an additional layer of security to online accounts, services, and apps. It requires users to prove their identity using two forms of authentication, the first of which is a combination of a username and a password.

Passwords are often stolen by hackers and 2FA aims to solve this by forcing anyone attempting to access an online account or service to confirm their identity via a second form of authentication.

Common examples include one-time passwords, push notifications, biometrics, physical security keys, or codes generated by authentication apps. The premise is that only users will know or have access to this information, preventing unauthorized parties from accessing their accounts using breaches or leaked passwords.

Although 2FA falls under the MFA umbrella, it wouldn’t be accurate to use the former to describe the latter. The main difference between the two is that while 2FA only uses two forms of authentication, MFA relies on two or more methods for verifying user identities.

For instance, a user with MFA set up on their account could be asked to first complete a one-time password request after logging in with their username and password, then an additional form of authentication like a fingerprint. Only after passing these stages would they be able to access their account.

How does two-factor authentication work?

Two-factor authentication invariably uses a second, independent device that functions as a buffer between the service and the login attempt.

Some services will supply their own keys, although this has become less common as companies have turned to developing their own smartphone apps or making use of SMS messages. Regardless of whether it's a number-generating key or a confirmation message, the idea is that only the owner of the device will have access to the key and the ability to authorize the login attempt.

The additional security check normally appears after the user has submitted their username and password. Once the system checks that the account exists, it will then ask the user to perform an additional action.

Two-factor authentication has become ubiquitous with most online services that involve sensitive data, whether it’s banking or financial services, e-commerce, or business applications – although many other companies are starting to offer 2FA to stand out from the competition.

How that additional layer appears can vary from service to service. For example, most banks now have their own security tokens for online banking, often in the form of random number generators and usually offered through a smartphone application, although some users may still be using a physical fob. Many online services have now forced users to set up 2FA as a minimum, including Google and Meta though the latter only has this requirement for 'high risk' accounts.

Getting through a second layer of security can be the slowest part of signing into a service but it's an effective way of sifting out those trying to brute force their way into an account.

What are the benefits of 2FA?

The biggest benefit of 2FA is preventing cyber criminals from breaching online accounts using passwords they've stolen or found in leaked databases on the dark web. But there are other reasons why you should use this security feature.

2FA can help tackle password fatigue, the feelings of tiredness associated with having to constantly remember and enter myriad passwords. It means you can choose an easy-to-remember password with the peace of mind that your account will be secured by a second authentication method.

Security leaders have less cause to worry about account breaches if they have a good 2FA policy in place, in the knowledge that cybercriminals have that extra barrier to entry. Adopting features like 2FA is also key to developing a security-first mindset — paramount as the threat landscape worsens.

Remote workers are still difficult for security teams to support, as their devices and corporate access need to be properly configured with 2FA or MFA, but this step is essential for protecting critical corporate accounts while supporting a hybrid work model. This is particularly critical for offices that take a bring your own device (BYOD) approach, as home devices can be more vulnerable to password-stealing malware and therefore need the extra line of defense.

Using 2FA methods like passkeys and authenticator apps provides users with “better and more secure protection”, says ESET global cybersecurity advisor Jake Moore.

“When threats are multi-layered themselves, accounts need the strongest multi-layered protection to stay secure,” he tells ITPro.

But as well as protecting against password breaches, 2FA could also bring about a passwordless future. Moore says this is possible thanks to “superior security options” that offer greater pxrotection against phishing and brute-force attacks than single passwords. He adds: “Passkeys, for example, offer ease of use, security as well as convenience and are already being rolled out smoothly across multiple accounts.”

Is two-factor authentication safe?

Despite the benefits it offers, it's worth noting that multi-factor authentication is not 100% secure. Microsoft has warned businesses against using systems that rely on voice and SMS due to security concerns, warning that these methods use no encryption and are therefore ripe for interception by hackers. With private details to hand, hackers can launch social engineering campaigns

For example, authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person's mobile number. Various account recovery processes for lost passwords can also be harnessed by hackers to work around two-factor authentication.

Sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of 2FA use dedicated hardware tokens, such as a Google Titan Security Key or YubiKey, which are difficult for hackers to spoof unless they physically steal one. Google's offering, for example, uses cryptography to verify a user's identity and a separate URL to stop would-be attackers from accessing accounts even if they have the username and password.

Methods of 2FA reliant on codes sent via SMS are best avoided if you are running an enterprise with a treasure trove of data. This is because SMS is vulnerable to SIM swap attacks, in which attackers transfer a victim's number to a SIM card in their possession to intercept their messages. If they pull this off on a user they know uses SMS-based 2FA, they could gain access to their account without any alarms going off.

While 2FA may not be quite the security silver bullet it was once expected to be, it's still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers' way, the less likely they are to target you.