What Is Two-Factor Authentication (2FA)? 

Two-factor authentication (2FA) is a form of multi-factor authentication (MFA), and is also known as two-step authentication or two-step verification. 2FA is a security measure that requires end-users to verify their identities through two types of identifiers to gain access to an application, system, or network.

Think of your most recent login experiences. When you sign in to Netflix, for example, you’re probably asked to simply provide a username and password—a single factor. When you log in to your online banking account, however, you often need to provide a username and password as well as the answer to a security question or an SMS one-time password (OTP). The website asks for two factors in order to verify your identity.

2FA provides an additional layer of protection, securing user identities and preventing organisations’ online resources from being accessed by bad actors. With two-factor authentication, attackers face an additional barrier to access. Even if they know a user’s password, bad actors would still need to spoof a second factor, which can be difficult depending on the type of factor that’s enabled.

In this post, we’ll dive into the details of how 2FA works, how this method of authentication protects users and organisations, and the different types of 2FA available.

How does 2FA work?

Put simply, 2FA confirms a user’s identity by verifying one authentication factor against a second authentication factor. 

qC0sv5ZelRt96TEd9A49tIeK7bSjxDQpEHQKwI965CTJbmDSXc4Rs83Qt1DZ99tcv3y3tGd 3YhB3ILKKH8lyNJ32 4SJba2u0znIVYqlXNw1tLFGXizKIcb4u49jEl7n0M8XZIt

The more distinct these factors are from each other, the more secure the login process will be. There are three main categories of factors to choose from:

  • Knowledge factors: Something the user knows. This can be a password, a PIN, or an answer to a security question.
  • Possession factors: Something the user owns, such as a mobile phone, credit card, or USB token.
  • Inherence factors: Something that uniquely identifies the user. This includes biometrics (for example, a fingerprint or voice) and behavioral identifiers (typing dynamics, etc.). 

Why is 2FA important?

A recent report from IBM estimated that a data breach can cost organizations upwards of $3 million, and according to recent research from Symantec, 80% of data breaches can be prevented by 2FA. There are a few reasons why even the most basic 2FA implementation can make a huge impact:

Passwords aren’t perfect, and poor practices are common

Traditionally, organizations have relied on usernames and passwords to authenticate users and provide access to their apps, directories, and resources. But these precautions are not enough to secure the modern workforce.

This is, in part, because users often do not follow password best practices. In 2020, for example, the most commonly exposed passwords were “123456” (used by 2.5 million people worldwide), “123456789,” “picture1,” and “password.” While organizations can minimize these poor behaviors with strong password policies, other offenses aren’t as easy to prevent, like writing down credentials, recycling passwords across accounts, or sharing passwords with others.

Phishing attacks are a prevalent threat

Auth-based cyber attacks have become increasingly common over the past few years, especially as bad actors have embraced targeting users. For example, phishing, a common cyber attack wherein malicious actors send an email that “fishes” for personal information, is one of the top threats facing organizations today; in fact 36% of all data breaches within the last year involved phishing.

Phishing emails look as if they were sent by legitimate organizations and often encourage users to log in to their bank, social media, or corporate accounts. The email may claim that the user’s account will be deactivated if no action is taken or that their credentials have already been compromised and that a password reset is necessary. Many people fall for the content in these messages and enter their credentials into a malicious form or spoofed website, thereby revealing their password to hackers.

A single hacked account may be just the beginning

Worse still, if the same password or variations of the same password are used for several accounts and apps, the hacker can potentially gain access to them all. Through a technique called credential stuffing, bad actors who acquire one set of credentials will use automated tools to try to hack other accounts using the same password.

And since the average person manages 130 accounts, and password reuse is common, there’s a high chance that the bad actor succeeds in compromising additional profiles. From here, they can harvest sensitive information from within and even sell the compromised credentials on the dark web.

How 2FA helps

2FA addresses all of these problems by making it more difficult for malicious actors to gain unauthorized access, while still delivering the seamless digital experiences that users have come to expect. Even if a bad actor gains access to a user’s password via careless password practices or a phishing attack, the hacker cannot log in to the victim’s accounts due to the second factor.

Common 2FA methods

Now that we’ve discussed how two-factor authentication can boost security and protect against common threats, let’s look at the types of 2FA available for use:

Hardware tokens

Hardware tokens are small devices (like a key fob or USB stick) that produce a new numerical code every 30 seconds. When a user attempts to access their account, they can verify their identity by simply entering the code shown on the device. While this form of two-step verification—one of the oldest methods—seems great in theory, tokens are expensive to distribute, are often lost by users, and can be easy to hack. 


This form of SMS-based authentication sends a one-time password (OTP) to the user’s mobile device via text message after the user submits their username and password. Once users receive the code, they submit it to the service they’re attempting to access for verification. Various organisations have utilised this factor to verify purchases and other user actions, but many are moving away from it given the security vulnerabilities inherent to SMS.

Voice OTPs

Voice OTPs work similarly to SMS OTPs. Upon entering their username and password, the user will receive a phone call that delivers the 2FA code verbally. This authentication factor is less common but is often used in countries that have low smartphone usage.

Software tokens

Software tokens require users to download an authenticator app on their smartphone or desktop. When a user logs in to the authenticator application, a temporary software-generated OTP is issued. They then need to share that code with the service they’re attempting to access. Software tokens typically generate and display on the same device, limiting the chances of a hacker intercepting the code.

Push notifications

Instead of sending an OTP, this method sends a push notification to users after they have entered their username and password. The user can then review the details of the login attempt and approve or deny access. This two-step verification process directly connects the app or website, the 2FA service, the user, and their device. It’s a user-friendly option that removes the chance of phishing, unauthorized access attempts, and other threats like man-in-the-middle attacks.


Biometric factors enable users to verify their identity by using something that could only belong to them. Examples include fingerprints, retina scans, facial and voice recognition, or even behavioral identifiers like typing patterns.

Which factors should I use?

When deciding which factors to deploy, there are a few things to consider. First, think about the application or service that needs to be protected. It is especially important that apps containing sensitive personal information be protected by the strongest factors possible. Organizations may even want to consider deploying more than two factors to verify a user’s identity with even more certainty.

Pw1awh7DMnoDCPDT3aUWUvcHPx6TRl1q5OMS3ntCKXLmFiIwpkvbqKOeIhXmCfPXP1Gl0Ju1nu2mxXL4 e3 sBgz QDXaQWDDgHbth3f5 R0LIuxhBWXoQd96Kig6Hixud dqZfa

Organizations should also think about their users. For instance, senior executives typically have access to more confidential corporate data, and therefore should need to verify their identity with more secure factors more often. On the other hand, contractors and interns are unlikely to have access to critical data and can therefore be verified less frequently.

Solutions like Okta Verify are a good choice because the authentication process takes place on the same device the access is requested from. This significantly reduces the chance of hackers intercepting credentials between the time a user provides a password and enters a 2FA code. Biometric-based authentication is another strong factor that should be considered as an additional security layer for any business-critical app or service.

2FA is good, but adaptive MFA is better

While using two-factor authentication is more secure than passwords, there’s more that organizations can do to secure their applications and networks and verify user identities. 

Adaptive Multi-Factor Authentication, for example, gives system admins full control over when, where, and by who 2FA or MFA needs to be used. IT teams can choose which factors are the best fit for certain users within their organization, from contextual behavior and login patterns to geolocation and proxy detection. Organizations can also create nuanced policies, such as only authenticating logins from managed or known devices. Adaptive MFA provides organizations with secure, seamless access that will delight users.

For more information about how to verify users, check out our Ultimate Authentication Playbook—or get started with a free trial today.