What is 2FA?

By Evan Stockton

2FA is an abbreviation for two-factor authentication. This security measure is also known as “multi-factor authentication” or “two-step authentication.” While this technology has been commercially available since 1986, it didn’t start to gain popularity until 2011, when Google rolled out 2FA to all users. This was done as a response to security concerns after Chinese attackers tried to gain access to the email accounts of several human rights advocates. Shortly after, several other companies started to implement 2FA as a way to protect against hackers and digital attacks. The main benefit to consumers is that this additional layer of security helps to protect both companies and individuals against fraud or other malicious activity. Due to increasingly more sophisticated attacks, single-factor authentication such as logging in with just a username and password is no longer enough to ensure your safety online.

When 2FA is enabled for a digital service, take email or online banking as an example, you will be prompted to verify your identity. There are several ways in which you may be asked to verify your identity. However, one of the most common ways is to enter a code sent to you via SMS, authenticator app, or email. Some companies will now only send this code directly to a “trusted device.”A trusted device is usually either a cell phone, tablet, or computer, which you have designated as “safe” or “trustworthy” in your account settings for specific digital services and products.

Why use two-factor authentication?

Two-factor authentication provides you and the accessed content with an additional layer of protection. This extra security step makes it more difficult for hackers to access your digital accounts, devices, and any sensitive information you may have access to. For a private individual, this may mean avoiding identity theft. For companies, this could mean preventing password databases or other sensitive pieces of data from being accessed.

In addition to the security benefits, 2FA can also save people time as securely resetting a password can be done online instead of calling the customer. Two-factor authentication also enables employees to enjoy a more flexible work schedule as they can securely access company resources from home or other locations.

How does two-factor authentication work?

The basic principle behind two-factor authentication is that a person needs to provide two separate pieces of information before gaining access to their accounts.

Typically, the first piece of information required will be the correct username and password combination. The second piece of information will fall under one of the three following categories:


A possession factor is a physical verification method such as a key fob, USB stick, ID card, or cell phone. These devices store or receive a security token. This token will provide you with access to a particular service or device. Within this category, there are two subcategories: connected and disconnected. Connected tokens would typically be something you need to insert or scan in order to gain access to a protected device. Disconnected tokens will typically provide you with information that you need to enter in order to access an account or digital tool.


These types of factors are additional pieces of information that are used to verify your identity. Ideally, only you would know these pieces of information. These are typically things like a PIN or answers to preselected security questions like “What hospital were you born in?”


Inherence factors are characteristics that we consider to be unique to the individual. This category is commonly associated with biometrics. Examples of this would be requiring fingerprint or retina scans in order to unlock a device or gain access to an account.

A few examples of 2FA

With everyone looking to better protect their digital lives, and those of their customers, it is no surprise that 2FA can take on many forms. Some of the most common examples of 2FA are:

  • Being prompted to enter a code after entering your username and password
  • Having to enter a PIN code to verify your identity or complete a sensitive task after logging in
  • Being asked to answer a security question after entering your username and password
  • Requiring PIN codes to verify transactions when paying with a debit card
  • Being sent a push notification on your cell phone when logging in from an unrecognized or new device

What is multi-factor authentication?

Multi-factor authentication is a security measure that requires two or more steps to verify the user’s identity or gain access to an online account or resource. Two-step verification is a type of multi-factor authentication.

While 2-step verification is enough to access most online services, there are situations where the data may be extremely sensitive. In these cases, three or more steps may be used to safeguard that information. These steps can be any combination of possession, knowledge, and inherence factors.

While many people may consider multi-factor authentication to be annoying or frustrating due to the additional time and effort, these additional steps are worth it. By enabling 2FA, individuals and businesses are able to better protect themselves from malicious cyberattacks.

Common Types of 2FA

Two-step verification can be a combination of several factors. Some of the most common factors used are:

  • Hardware tokens
  • Software tokens
  • Text messages
  • Voice messages
  • Push notifications
  • Biometrics

These types are described in more detail below:

Hardware Tokens for 2FA

Hardware tokens are the oldest way to authenticate users. These usually come in the form of small devices that either need to be inserted into a device or generate a code displayed on its screen. If using a device that will generate a code, you will find that codes are generated at specified time intervals or when triggered by an attempt to perform certain actions.

Hardware tokens that need to be inserted into a device, like a USB drive, store specific certificates or digital keys, allowing users to access a specific service, tool, or database.

Alternatively, TOTP (Time-based One-time Password) or OTP (One-Time Password) tokens are examples of hardware tokens that do not need to be physically inserted into a device. They are small devices that can be kept on a keyring, in your pocket, or in a desk drawer. These devices are quite easy to use and usually have a screen that displays the necessary code when triggered.

While there are many benefits to using hardware tokens, one downside is that they can be easily lost or stolen, increasing the risk of potential security breaches. Another downside is that they can be an expensive investment. From an IT perspective, hardware tokens also require additional effort and resources.

Software Tokens for 2FA

Typically, users receive software tokens through the use of apps that need to be downloaded and installed onto a trusted device. Two well-known examples are Google Authenticator and Microsoft Azure Authenticator. These apps essentially convert your trusted device, such as a cell phone or tablet, into an OTP generator. When you attempt to gain access to an account or service, the server will receive the request and automatically communicate with your device. You will either be prompted to confirm your identity via push notification from the app or be provided with a code which you will then enter to gain access.

Once you have verified your identity via the app, these credentials will expire, and you will be provided with new credentials the next time you need to access the same service.

In comparison to hardware tokens, software tokens are more favourable because they aren’t easily misplaced, lost, or stolen. Since these trusted devices also tend to be used on a daily basis, it is much easier to ensure that the most updated version of the software is installed.

Text-Message and Voice-based 2FA

This authentication factor sends information directly to the user’s cell phone. In order to finish logging in, you will need to enter the unique, one-time code provided in either the text or voice message. Many companies allow users to choose between voice and text messages. However, it is not uncommon for a text message to be the only available option.

This form of authentication is considered to be the least reliable way to authenticate users and is not recommended for accessing websites that store sensitive personal data like banks or insurance companies.

Push Notifications for 2FA

In order to receive push notifications, you must first successfully download and install the designated authenticator app on one of your trusted devices. When someone tries to gain access to an account using your credentials, you will automatically receive a push notification. This push notification will allow you to confirm or deny the login request with a single tap.

If you confirm the request, immediate access to the account or service is granted. If you deny the request, the person attempting to log in will be blocked.

Biometric 2FA

This way of authenticating users is the most secure but by far the most expensive. Biometric data is almost 100% guaranteed to be unique to the individual.

When using this method, users are asked to provide their biometric data in order to gain access to a device, service, or information. Some forms of biometric identification are:

  • Fingerprint scans
  • Facial recognition
  • Retinal or iris scans
  • Voice identification
  • Keystroke dynamics
  • Signature recognition

No matter what form of multi-factor authentication you use, rest assured that your personal information will be more secure.

Read more


This article was written by: Team Securifer

We are the proud publishers and founders of Securifer.com. We consist of expert cybersecurity researchers and other privacy realists.