Explainer: Two-Factor Authentication (2FA)

Two-factor authentication, or 2FA, is a method of accessing computing and financial resources or physical facilities, with more than just a password or personal information number (PIN or passcode). Using a singular password or passcode to access such resources makes a user susceptible to security threats, because it represents a only a single piece of information that a malicious person needs to acquire.

The additional security that 2FA provides thus ensures that additional information is required to sign in to computing resources, access cash or a building. Two-factor authentication therefore creates an extra level of security which is often referred to as “multi-factor authentication”. Using a username and password or passcode, together with a piece of information that only the user knows, makes it harder for potential intruders to gain access and steal that person’s personal data or identity.

Multi-factor authentication is a method of multi-faceted access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

• knowledge factors (“things only the user knows”), such as passwords or passcodes;
• possession factors (“things only the user has”), such as ATM cards or hardware tokens; and
• inherence factors (“things only the user is”), such as biometrics

Requiring more than one independent factor increases the difficulty of providing false credentials. Two-factor authentication requires the use of two of three independent authentication factors, as identified above. The number and the independence of factors is important, since more independent factors imply higher probabilities that the bearer of the identity credential actually does hold that identity.

Multi-factor authentication is sometimes confused with “strong authentication”. However, “strong authentication” and “multi-factor authentication”, are fundamentally different processes. Soliciting multiple answers to challenge questions can typically be considered strong authentication, but, unless the process also retrieves “something the user has” or “something the user is”, it is not considered multi-factor authentication.

The most typical scenario where two-factor authentication is emerging is within the banking sector. When a bank customer uses an automated teller machine (ATM), one authentication factor is the physical ATM card the customer uses in the machine (“something the user has”). The second factor is the PIN or passcode the customer enters through the keypad (“something the user knows”). Without the corroborating verification of both of these factors, authentication does not succeed. This scenario illustrates the basic concept of most multi-factor authentication systems: the combination of a knowledge factor and a possession factor.

The combined use of these multiple factors allow financial institutions to combat identity theft and bank fraud by increasing overall security, by reducing the potential for users to be falsely authenticated. As many research analysts have noted, banks can augment traditional passwords or passcodes with two-factor authentication measures that include biometric identification measures. While a biometric identifier in theory could replace the personal identification number, a customer should instead be asked to supply a PIN or password to supplement a biometric identifier, making it part of a more secure two-factor authentication process. Some banks in Asia currently leverage biometric identifiers such as finger vein and palmprint recognition, in conjunction with ATM cards to provide a two-factor ATM authentication solution to their clientele.

With continuing challenges to secured digital environments, users can expect the increased deployment of two-factor authentication solutions in order to mitigate risk in computing, banking and physical environments.

Article Topics

biometrics  |  two-factor authentication