What you need to know about 2FA

What you need to know about 2FA

Feb 06, 2023
Two-factor authentication (2FA) is the use of more than one way to verify a users identity on a computer system and allow access to an account. 


2FA as a concept has existed for a very long time but the phrase was coined in the 1980s and became more mainstream around the late 2010s and early 2020s, as cybersecurity concerns and high-profile data breaches increased public awareness of the need for stronger account protection. 


The uptake of 2FA has since become truly mainstream with Government, financial institutions and other services with sensitive data only providing account access through 2FA methods.


With the growing prevalence of online activities and the increasing threat of cyber attacks, 2FA has become an increasingly important aspect of online security.


Why use 2FA

Two-factor authentication (2FA) is considered to be more secure than single-factor authentication because it requires two forms of identification to access an account. In single-factor authentication, only one form of identification, such as a password, is required.


With 2FA, even if an attacker knows a user's password, they still cannot access the account without the second form of identification, which could be a one-time code sent to a mobile phone, a fingerprint, or a security key.


This added layer of security makes it much more difficult for attackers to access a user's account, as they would need to have both the password and the second form of identification. It also reduces the risk of successful attacks, such as those carried out through phishing or social engineering, where attackers trick users into revealing their password.


In addition, 2FA can provide a more secure authentication process, especially when compared to single-factor authentication methods that rely on easily guessable or easily stolen information, such as a password or security question.


The difficulties with 2FA

The things to keep in mind and be aware of when using 2FA include:
1. Availability of secondary authentication method: The secondary authentication method, such as a one-time code sent to a mobile phone, must be readily available. If the phone is lost or not functioning, the user may not be able to access their account.
2. Delays in receiving authentication codes: In some cases, there may be delays in receiving the authentication code, which can be frustrating for users trying to quickly access their account.
3. Compatibility with all devices: 2FA may not be compatible with all devices, and users may need to use a different authentication method on different devices.
4. Increased security risks with SMS-based 2FA: SMS-based 2FA, which uses a one-time code sent via text message, can be vulnerable to hacking and interception by criminals. This is because SMS messages can be intercepted or redirected to a different phone.
5. User error: Users may accidentally provide the wrong information or mistype their password, leading to difficulties accessing their account. They may also forget their password or lose access to their secondary authentication method.

The problem with SMS 2FA

SMS-based two-factor authentication (2FA) involves receiving a one-time code via text message to access an account. While this method can add an extra layer of security, there are security risks associated with SMS-based 2FA.


SMS messages can be intercepted or redirected to a different phone, which can allow hackers to access the one-time code and gain access to the account. Vulnerabilities in the mobile network can also be exploited by hackers. While Social engineering tactics, such as tricking a user into revealing the one-time code or impersonating the user to gain access to the account are ways hackers can identify the second authentication method and gain access to a system.  


The hacker would have already identified the password and be waiting for the opportunity to steal the one-time code which is time dependent. 

The time limit is typically set by the service provider and can vary depending on the provider and the security protocols they have in place. The purpose of the time limit is to prevent unauthorized access to your account even if an attacker has intercepted your SMS message, as they would only have a limited amount of time to use the code before it expires.


2FA is considered to be less secure compared to other 2FA methods, such as authentication apps or physical security keys, which provide more robust protection against these security risks. However it is a huge improvement over single authentication.

The best 2FA

A risk assessment will help you identify the specific threat being faced and what authentication is best used to combat the threat. Some of the more secure 2FA methods include:

1. Hardware Security Keys: Physical security keys, such as USB devices or NFC-enabled devices, can provide a highly secure form of 2FA. They use public key cryptography to confirm a user's identity and cannot be easily duplicated.
2. Authentication Apps: Authentication apps, such as Google Authenticator or Authy, generate one-time codes on a user's device, which can be used as the second factor of authentication. They are more secure than SMS-based 2FA as they do not rely on the phone network and can provide additional features such as backup and recovery options.
3. Biometric authentication: Biometric authentication, such as fingerprint or facial recognition, provides a secure form of 2FA as it is difficult to replicate or steal.


It's important to note that no single 2FA method is 100% secure, and the level of security offered can also depend on how it is implemented and used. It is recommended to use 2FA in conjunction with other security measures, such as strong passwords, encryption, and anti-malware software, to provide a comprehensive security solution