What is two-factor authentication?
What is two-factor authentication (2FA) or multi-factor authentication (MFA)? This is what we will briefly define today.
What is authentication? Let us start with the last bit. Authentication is the process of proving that something is true or valid. In our context of information security, it is the process of confirming that a person trying to gain access to a system (usually by typing in a username or doing something similar) is indeed who they claim to be, that is, the person is the one who was assigned that username or equivalent.
How is this authentication done? It is usually done by supplying a password or a PIN or something similar. So, if you supply a username and then type in the correct matching password, or if you slot in an ATM card, then type in the correct PIN, the system assumes that you are indeed the correct holder of those credentials.
What is a factor? A Google search says a factor is “…a fact… that contributes to a result.” So, in the previous scenario, we have only a password or only a PIN to contribute to the confirmation of an identity. This is known as Single-Factor Authentication (SFA).
Categories of factors
There are different types of factors that are used to authenticate users. There are three common categories.
Something you know: This is the most common category. It is information that ideally only one person should know and includes passwords, PINs and the answers to secret questions such as the ones used in resetting passwords.
Something you have: This is an object that again, only one person should have. The most common example would be a mobile phone to which the system sends a code that the user then enters into the system. If the user enters the correct code, then it is concluded that the user indeed has the phone whose number is in the system and the user is presumed to be the one he or she claimed to be.
Something you are: This refers to a physical feature of the user, such as a fingerprint, eye pattern (retinal or iris) or voice.
There are also other factors such as somewhere you are, which refers to the geographical location from which you attempt to log in to a system.
Putting it together
To put the pieces together, multi-factor authentication refers to the confirmation of a user’s identity by use of factors from more than one category above. For example, you may type in your username and password, then the system sends a temporary code to your mobile phone for you to type in as well to complete the login process.
The goal of MFA is to make it harder for an attacker to gain unauthorised access to a system. With only one factor such as a password, there is only one barrier to access – the password – since usernames are usually not secret. If an attacker finds out or manages to guess your password, then they can log in as you. With 2FA as in the example above, to gain access to your account, the attacker will not only need to get your password, but will also have to gain access to your phone to get the code that will be sent there. This by itself would prevent someone in another country from logging into your account using just your password.
The US Cybersecurity and Infrastructure Security Agency (CISA) categorises SFA as bad practice and calls it (among other practices) “exceptionally risky.” Many modern websites or web-based applications will offer you the option of implementing MFA. Go ahead and implement it to make it harder for attackers to log into your accounts.