Memo: about two-factor authentication

Two-factor authentication (2FA), or multi-factor authentication, is a security process in which the user provides two means of identification from separate categories of credentials; one is something memorized, such as a security code or password, and the other is typically a physical token, such as a card or a previously-authenticated smartphone.

A common example of two-factor authentication is the ATM card most consumers are familiar with. In order to authorize a transaction, the user must present the ATM card (a physical token) and also enter a PIN (a memorized secret). Neither the card alone nor the PIN alone will suffice to authorize a transaction, and it is unlikely that an attacker could obtain both simultaneously.

Stolen passwords are a very common vector for online attacks. Two-factor authentication can drastically reduce the effectiveness of password-related exploits, because stealing a password is not enough to give an attacker access to protected information.

True two-factor authentication requires that the factors be chosen from separate categories of credentials. The three commonly recognized categories are

  • “something you know” (e.g., a password)
  • “something you have” (e.g., a pre-registered smartphone), and
  • “something you are” (e.g., a fingerprint)

Most two-factor authentication today works by leveraging the second category in the form of a physical token or pre-registered smartphone. Smartphone-based solutions are popular since they work with a device most users already carry with them and protect zealously.

Numerous inexpensive 2FA solutions, some based on open standards, are gaining rapid adoption:

  • U2F security keys, an open standard for inexpensive USB tokens, industry leaders, like Yubico and Google.
  • Smartphone apps, usually free, that implement the open standard TOTP protocol (see below). Google Authenticator and Symantec VIP are commonly used.
  • Proprietary solutions, including Microsoft Azure and Duo.

Pre-registered knowledge tokens (PKTs), commonly known as “security questions,” are of the same category as passwords (“something you know”) and cannot be combined with passwords to provide true two-factor authentication.

Two-factor authentication does not replace passwords. Good password practices are still essential, but two-factor authentication can significantly reduce the risk of weak passwords.

Some 2FA solutions work by transmitting a one-time password over a different communication channel, such as via SMS to a pre-registered mobile phone. This is true two-factor authentication, but poor security practices by mobile service providers introduce the risk that the one-time password could be intercepted by an attacker.

More secure solutions can generate one-time passwords without having to transmit them, thus eliminating any risk that they could be intercepted. Transmitting one-time passwords via SMS has been deprecated by the latest NIST cybersecurity guidelines. Non-transmitting solutions should be preferred whenever available.

Cryptographic certificates, when generated and installed by properly authorized administrators, are of the same category as physical devices (“something you have”) and can be used in combination with passwords to implement two-factor authentication. Although a certificate is only data (like a password), it is tied closely to the physical device on which it is installed and it is difficult for the user to access, memorize, or inadvertently breach. The threat of unauthorized cloning does need consideration, but in general, enrolling a trusted device by installing a cryptographic certificate can be a cost-effective and very secure way to implement two-factor authentication.