Pros and Cons of Two-Factor Authentication12 min read

Pros and Cons of Two-Factor Authentication12 min read

02/03/2019 3 By Vasyl Tsyktor

Ensuring reliable protection for your accounts in social networks, online services, or corporate web apps is vital for avoiding personal information disclosure. When Internet users realized that traditional authorizations measures based on entering credentials weren’t enough, two-factor authentication appeared. This technology was supposed to secure user sensitive data and make any account hacking attempts worthless.

Also known as 2FA, two-factor authentication is a technology that provides an additional security layer. With this feature, in addition to a typical authentication process involving the need for entering a username and password (something you know), you also have to enter a different type of secret data in order to get access to a particular account. This additional data may include one of the following factors:

  • Something you have (for example, a smartphone, smart card, or physical token)
  • Something you’re born with (biometrics like your fingerprint, retina, or vein map)

One of the common examples of 2FA is entering a one-time password sent to your mobile device when trying to sign in to your online banking account. This OTP is the second factor after you type in your credentials.

Since “something you have” may refer to different devices, two-factor authentication based on a specific device type has its unique pros and cons. In this article, we will first uncover the general advantages and disadvantages of 2FA and then consider each authentication type separately.


2FA is often confused with two-step verification (2SV). Both terms are similar but they have significant differences. While 2SV may rely on the same type of factors during the authorization process, for example, credentials and a secret question where both factors refer to something you have, 2-factor authentication uses two different factors, for example, something you know and something you have. This principle ensures the basic benefits of 2FA.

Stronger Protection

Two-factor authentication is a great cybersecurity measure that can help you minimize risk of sensitive data theft and restrict unauthorized access to your personal account. With OTP-based 2FA enabled, even though hackers know your email and password, they won’t be able to get access to your account unless they have your smartphone.

Furthermore, cybercriminals use different types of attacks to crack your password. They include keylogger, brute force, and dictionary-based attacks. Despite you know how to protect your passwords from hackers, you can’t be 100% sure your data is safe. That’s why you should enable two-factor authentication to create another barrier for cybercriminals and make their hacking attacks focused on your credentials worthless even if they get your password.

Low cost

One of the main cons of 2FA is that it often requires no spendings to enable it. Many popular online services offer this feature for free while some of them even provide it by default. For example, you can secure your Facebook profile with two-factor authentication at no cost. Google also allows users to protect their Gmail account with 2FA absolutely for free. Nevertheless, other web apps may charge some funds to provide you with an additional security level.

Easy to implement

The other great thing about two-factor authentication is that it’s extremely easy to implement. To enable it for your Facebook account, you have to go to Settings, choose the Security and Login menu option, and click on the corresponding button. To secure your WordPress website, you should install a suitable cybersecurity plugin that provides 2FA, for example, iThemes Security. You can learn more on how to protect your WordPress website from hackers in our other post.


According to a survey conducted by DUO Security, only  28% of Internet users have enabled 2FA for their personal accounts. Therefore, 72% of users put their sensitive data at a huge risk since two-factor authentication is definitely a more reliable authorization method compared to traditional passwords. However, you should understand that it still has its drawbacks.


One of the main disadvantages of two-factor authentication is that it can’t ensure 100% protection from hacking attacks. Moreover, the technology itself has vulnerabilities that can be used by cybercriminals to bypass its security layer. Hackers apply various types of attacks like malware, phishing, man-in-the-middle (MitM), or even account recovery schemes to avoid the 2FA feature or intercept one-time passwords and software tokens. Unfortunately, 2FA isn’t a magic pill.

Sharing additional data

To create an account any online service, you have to provide the system with your email address. Companies often use this information to regularly send you spam. Even if their emails contain a link allowing to unsubscribe, it still creates some inconveniences for you as a user. We don’t want to receive emails we don’t expect unless they inform us about something really important and useful.

Over time, you may forget your password if you don’t use a particular service for a while. This makes you follow the annoying password recovery process to unsubscribe. With two-factor authentication, you also need to provide your phone number. Therefore, services get another resource to bombard you with their emails. It seems clear that users may avoid sharing another piece of their personal data.

An extra step

Without 2FA, the only thing you have to do in order to access your account is to enter your credentials and click on the Sign in button. For frequently used online services, you can ask your web browser for remembering your login data so you could immediately sign in next time without the need for entering your username and password. Two-factor authentication adds another step you have to make every time you try to log in. The overall authentication process can take up to a single minute, but it can annoy some users anyway.

Pros and cons of 2FA by types

Two-factor authentication can rely on various types of secret digital keys. To verify users, technology can use hardware or software tokens, smart cards, digital certificates, and one-time passwords sent to a user via SMS, email, or push notifications.

Hardware tokens

RSA hardware token

Also known as physical tokens, hardware tokens are small portable devices in a form of the key fob or USB stick. They have a display that shows one-time passwords to be entered by users in order to log in. There also are physical tokens without a display. Wirelessly connected to your computer, such tokens store your credentials and generate an OTP and then automatically send it to an authentication app.


  • Portability
    • The portability of hardware tokens enables users to use them at any time and any place in order to log in. You can easily put such a small device in your pocket, purse, or even wallet.
  • No need for additional software
    • With a physical token having a display, users have no need for installing any two-factor authentication apps.
  • No need for remembering your passwords
    • Hardware tokens, which have no displays, may contain a built-in password manager capable of storing up to 1,000 different passwords. Connected via Bluetooth, they automatically generate and send an OTP to an authentication app. Thus, you also have no need for typing in an OTP.


  • Complicated corporate deployment
    • When it comes to large enterprises with numerous employees, it takes a lot of time and resources to set up 2FA for all users. Therefore, business owners have to spend some part of their budget on hardware token deployment activities including the cost of all tokens.
  • Loss or theft
    • If you lose your token, you won’t be able to log in.
    • Furthermore, if anybody steals your token, frauds can get access to all your accounts. As a result, your sensitive data can be compromised.
  • Inconveniences
    • You should take your token with you wherever you go. You never know for sure when you need it. If you forget to take your hardware token with you, you won’t be able to sign in unless you return and take it.

Software tokens

Software token authentication

Software tokens are digital keys generated by special authentication apps like Google Authenticator or Authy. Unlike hardware tokens, you have no need for using additional devices to get an OTP. Instead, you just need to install a suitable app on your mobile device. This app will generate a one-time password you have to enter in order to access your account.


  • Reliability
    • Software tokens don’t need electrical energy to function. Unlike hardware tokens, they don’t have any batteries.
  • Easy-to-use
    • You don’t need any additional physical device to carry, unlike hardware tokens.
  • Availability
    • Software tokens are cheaper than hardware tokens.


  • Dependency on a device
    • Once you lose your smartphone or it gets broken, you no longer can log in unless you repair the device.
    • If somebody steals your mobile device, this fraud can get access to your personal data
  • Vulnerability to hacking attacks
    • Like hardware tokens, software tokens are vulnerable to MitM and phishing attacks.


Smart cards are plastic chip cards used as a means of the second authentication factor. Their design is similar to typical credit cards. To log in, users need to insert their smart card into the card reader connected to the user endpoint system. There also contactless smart cards.


  • Authorization in different accounts
    • A single smart card can be used for authorization in multiple services.
  • Reliability
    • Smart cards don’t need electrical energy to function. Unlike hardware tokens, they don’t have any batteries. All authentication happens due to magnetic signals or PKI chips.


  • Complicated corporate deployment
    • To use smart cards for authentication, users need specific software and hardware like card readers. Managers have to spend some part of the corporate budget on technology deployment activities including the cost of all smart cards.
    • The need for associated software and hardware leads to the necessity of constant technical support from system administrators.
  • The need for regular updates
    • Certificates stored on smart cards have a limited lifetime. That’s why they require regular updates. This forms additional tasks for system administrators.

Digital certificates

Email digital certificate

Digital certificates are electronic documents that provide access to the public key (PKI) infrastructure. Each certificate contains data about the key, information about the certificate owner, and certificate issuer’s digital signature. Examples of digital certificates are: digital signatures for electronic documents (a.k.a. qualified certificate), email certificate, and trust anchor used to sign other digital certificates.


  • No need for installing additional software
    • Digital certificates are virtual keys you have to upload to access your account or sign electronic documents. So these certificates often require no additional software or mobile apps.
  • No need for deploying additional hardware
    • Unlike physical tokens, users store their digital certificates on their computers. So you don’t need any other hardware.


  • Portability
    • Digital certificates can be copied thus allowing cybercriminals to get access to your personal or corporate data.
    • Having got access to your qualified certificate, cybercriminals can sign an electronic document on behalf of you.
    • Anyone using the computer with a certain digital certificate stored on it can log in.
  • No flexibility
    • Digital certificates provide no flexibility since they’re linked to a single endpoint.
  • Easy-to-lose
    • Like any other file on your computer, you can accidentally delete it.
    • In addition, if your hard disk gets reformatted or destroyed, you no longer can access to your account.

One-time passwords

One-time password

With tokenless two-factor authentication, users may also log in through their mobile devices like a mobile phone, smartphone, or tablet. Users can either sign in using an OTP received via SMS, QR code, or push notification.


  • Easy-to-use
    • No need for purchasing, configuring and maintaining additional software or hardware.  
    • Mobile devices support a wide range or OTP transmission options that include SMS, push notification, IVR, etc.
  • Affordable technology
    • Company owners have no need for spending a lot of resources to enable 2FA for each employee. A single corporate system installed on a server can generate one-time passwords for all team members.


  • Dependency on a device
    • Once you lose your smartphone or it gets broken, you no longer can log in unless you repair the device or insert your SIM card into another smartphone.
    • If somebody steals your mobile device, this fraud can get access to your personal data
  • Vulnerability to hacking attacks
    • Those smartphone owners using SMS-based 2FA put their accounts at risk since OTP passwords are vulnerable to so-called man-in-the-middle (MitM) or even simple phishing attacks. MitM attacks refer to intercepting sensitive data sent from a server. As a result, instead of a target user, this is a hacker who gets an OTP sent via SMS, IVR, or push notification.

Phishing attacks refer to direct communication between a victim and attacker where the latter uses psychological manipulation to get an OTP. Phishing also can refer to creating malicious websites that replicate the design of authentic online resources to deceive users and make them enter their credentials on a fraudulent website thus bypassing two-factor authentication.


Face ID Apple X

Enabled with two-factor authentication, some online services can authenticate users with their biometrics: a vein map, fingerprint, retina, and face recognition. Once you’ve entered your password, you have to allow a smartphone-based scanner to scan your biometrics to access your account.


  • Availability
    • Many modern smartphones and tablets support authentication based on biometrics via built-in fingerprint or face scanners.
  • Reliability
    • No one can steal your biometrics. As a result, third-party theoretically can’t get access to your personal data.


  • Inaccurate technologies
    • Built-in face scanners can be deceived with a face cast that replicates the appearance of a specific person.
    • Face recognition algorithms based on artificial intelligence (AI) are still inaccurate. For example, they can’t properly recognize black women faces as well as Asian people faces. At the end of 2017, The Mirror wrote that Apple’s Face ID had failed to distinguish between Chinese users.
  • High cost
    • For technology vendors, implementing biometrics scanners in mobile devices is more expensive than using software tokens or one-time passwords.


Two-factor authentication is a must-have cybersecurity measure that sets a significant obstacle for hackers willing to hack your account and access your personal data. However, this technology is imperfect. Its pros and cons vary on a particular type. To maximize your protection against hacking attacks, you should use either software tokens or biometrics-based 2FA. However, if a service provider offers only OTP-based 2-factor authentication, then it’s better than no 2FA at all.