What is the Best Type of 2-factor Authentication Solution? by Ronan Mahony
5 min read
Stolen passwords remain a significant cause of serious data breaches. Employees often reuse passwords across multiple applications, and with up to a million passwords stolen each week globally, relying on passwords alone is dangerous in the modern security landscape.
This article overviews two-factor authentication, which is a method for adding an additional layer of security to your organization. You’ll find out what 2FA is, how it works, and what the different types of 2FA solutions are.
What is 2-Factor Authentication (2FA)?
Two-factor authentication (2FA) is a way to authenticate users to an application or service that requires two distinct categories of evidence. If the user does not provide both factors of authentication, their access requests aren’t verified. In other words, 2FA is a way to increase confidence that the people trying to access your systems are who they say they are.
Authentication is distinct from authorization; the latter grants permission to resources while the former verifies the identity of a person or device. (Here is a more in-depth description of authentication from Thales.)
Network perimeters for many organizations have shifted from controls such as firewalls to the identities of people, devices, and applications. An important reason for this shift is the huge uptake of cloud computing, which sped up even more as a response to the pandemic.
In the cloud, users can access business apps and services assets with minimal layers of protection, which makes it more important to implement controls at the identity level. Requiring additional verification improves the security of your important corporate assets and apps.
How Does 2FA Work?
The classic example of 2FA is where users need to first provide their login credentials (username-password combination) to access an app followed by a one-time password sent to a hardware token. In this example, the user needs to provide something they know and something they have.
Most people are somewhat familiar with 2FA because modern Internet banking apps typically use it to secure logins. Often, a user logging into their online banking also needs to provide a one-time password sent to their mobile phone.
Taking a bird’s eye view of how 2FA works, users typically pair two distinct pieces of evidence from the following
- Something they know ( username-password login credentials)
- Something they have (hardware token, mobile phone)
- Something they are (fingerprint, facial recognition scan)
Most types of 2FA traditionally include the first factor (something the user knows) and combine that with one of the other two factors.
Types of 2FA Solution
Choosing the right type of 2FA solution is a crucial decision from a business perspective. There is a real need to balance security with usability. For example, you could argue that providing everyone with hardware security tokens negatively impacts users by burdening them with the extra responsibility of taking good care of their tokens.
Here is a run-through of a few different types of 2FA solutions.
SMS
SMS is a convenient form of 2FA in which the user receives a text message with a code after providing their login credentials. The user types in this code to prove their identity. With 97 percent of Americans owning a mobile phone, the barriers to using this 2FA solution are minimal.
One potential SMS drawback is a lack of cellular service, which can mean users don’t receive their passwords and therefore they cannot log in. Furthermore, SMS messages aren’t encrypted, so they are vulnerable to man-in-the-middle attacks. For this reason SMS authentication is not considered to be very secure and has been xxx by NIST and it is no longer recommended.
TOTP
Time-based one-time password (TOTP) is a type of authentication solution that uses a time-restricted code generated by a smartphone app to verify logins. These time-restricted codes are generated based on an initial secret seed when the token is provisioned to the user. One-time Passwords can be generated on a hardware token, or on an OTP authenticator app installed on a mobile device. TOTP eliminates reliance on unsecured SMS communications .
Push-Base
Push-based authentication again uses an OTP authenticator app installed on a smartphone as the second factor of authentication. Upon logging in to a service or app, the user receives a smartphone notification asking them to approve or deny the login. The push-based method has less user friction because it’s easier to simply tap approve or deny versus accurately typing one-time passwords from other devices. Push-based verification requires smartphones with Internet access, which is a potential barrier to adoption. For this reason, most Push authenticator apps also support regular OTP authentication as well.
FIDO 2 Security Keys
FIDO (Fast Identity Online) is a newer type of authentication standard. FIDO2 is the two-factor authentication version of this standard that aims to eliminate the need for password-based logins. Public key cryptography and special security tokens drive the authentication for a registered device logging into a particular service; the user then verifies each login on their phone with biometric data, such as a fingerprint. The disadvantage of this is the need for FIDO USB tokens and their associated costs.
Closing Thoughts: What is the Future of 2FA?
There is a debate over whether FIDO will replace other authentication standards. The passwordless aspect is regarded as attractive to many companies in a world where password compromises still play such a huge role in many high-profile breaches.
It’s likely that an increasing number of organizations will opt for FIDO 2 as time goes on whether as a complementary solution to existing authentication standards for mission-critical apps and services or as a business-wide replacement.
Name: Ronan Mahony
Public job title: B2B Technology Content Writer
Email Address: [email protected]
Twitter Handle:@ronanthewriter
LinkedIn Handle: https://www.linkedin.com/in/ronan-mahony-writer/
Facebook: N/A
Professional Biography: N/A
Short Bio:
Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He’s comfortable writing about other areas of B2B technology, including machine learning and data analytics. He graduated from University College Dublin in 2013 with a degree in actuarial science, however, he followed his passion for writing and became a freelance writer in 2016. He currently also works with Bora Design. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.
Specialist Areas:
Types of Cyber Attacks
Cloud Security
Compliance
Disaster Recovery
Cybersecurity Solutions
SEO
About Author
