What Is Two-Factor Authentication and Why Should You Enable It?11 min read

What Is Two-Factor Authentication and Why Should You Enable It?11 min read

03/12/2018 0 By Vasyl Tsyktor

Two-factor authentication has been around more a decade but still hasn’t managed to become widely known as a reliable and effective account protection technique. Is it as secure as it’s supposed to be and can it ensure third parties won’t get access to personal data?

The survey conducted by Duo Security shows the dramatically low basic cybersecurity education among people. Only 28% of Internet users protect their accounts with two-factor authentication (2FA). Furthermore, solely 56% of users have ever heard about this technology. This percentage is likely to be overestimated since the company’s audience is more educated in personal information protection measures than average people. One way or another, 2FA is a technique worth implementing to avoid the disclosure of your data and here’s why.

What is 2FA?

Two-factor authentication also known as 2FA is a method of user identification that uses two different types of authentication data instead of passwords only. The additional security level provides the more efficient account protection from unauthorized access.

Factors used in two-factor authentication are any two ones of the following three depending on a particular app:

  • Something they know;
  • Something they have;
  • Something they’re born with.

The most common scenario is entering certain data users know and using specific data they have.

Something users know

Something users know refers to a password, PIN, secret phrase, pattern, etc. This includes any sensitive data users memorize and then enters into the system upon its request.

Something users have

Something users have refers to a physical token, a small device belonged to the user. The simplest tokens don’t require the physical connection to the computer. Instead, they have a display showing the number that the user has to enter to log in. Advanced tokens can be connected to a computer via USB or Bluetooth. Smartphones also can act as a means of tokens. Apps like 2FA Google Authenticator, which is likely to be the best 2FA app for WordPress websites, generate a one-time password (OTP) and send it your mobile device via notification or SMS. These one-time passwords can be either time-based or algorithm-based.

Time-synchronized one-time passwords

OTP systems regularly update time-based one-time passwords to keep them secure. Time-synchronized tokens have a clock synchronized with the time set on the proprietary authentication server. Such OTP systems generate new passwords using accurate time instead of secret keys or previous passwords.

Algorithm-based one-time passwords

One-time passwords based on mathematical algorithms use previous passwords to generate new ones. There is a certain mathematical dependence between next and previous passwords. This dependence lies in the one-way function f(s) where the generated passwords are the results of this function with a certain “s” value. To check whether the entered password is corrected, the system calculates the f(entered password) function that has to be equal f(s). Passwords based on mathematical algorithms are impossible to predict, even though all the previous passwords are known.

Something users are born with

Something users are born with refers to their biometrics: fingerprints (e.g. Touch ID on iPhone), a form of their face (e.g. Face ID), or retina blood vessels. Any of this data types can be used as an additional security layer to the standard user authorization procedure. For example, to authorize with Touch ID on iOS-based devices, users have to tap the Home button with their thumb to enable a smartphone to scan their fingerprint.

The difference between multi-factor authentication and two-factor authentication lies in the number of factors used for authorization. Examples of multi-factor authentication are:

  • Step #1 – entering a password.
  • Step #2 – receiving an OTP.
  • Step #3 – scanning a fingerprint.

It’s worth noting that 2FA is multi-factor authentication, but not every MFA is two-factor authentication.


Two-factor-authentication can be divided into types based on the sensitive data delivery method. Using 2FA, users can authorize themselves in a hardware-based (via tokens) or tokenless way. Let’s consider the advantages and disadvantages of two-factor authentication by methods.


Hardware-based two-factor authentication refers to the technology that uses portable devices that to authorize users in online services. These devices include hardware tokens and smart cards.

Physical tokens

Hideez hardware token

Hardware or physical tokens refer to small portable devices in a form of the key fob or USB stick. Hardware tokens have a display that shows one-time passwords to be entered by users in order to log in.

  • The portability of hardware tokens enables users to use them at any time and any place in order to log in.
  • With a hardware token, users have no need for installing any two-factor authentication app.
  • When it’s about companies with many employees, it takes a lot of time and resources to set up 2FA for each user.
  • If you lose your token, you won’t be able to log in.
  • You should take your token with you wherever you go. You never know for sure you will need it.
  • If somebody steals your token, your sensitive data can be compromised.


smart card

Smart cards are plastic chip cards used as a means of the second authentication factor. Their design is similar to typical credit cards. To log in, users need to insert their smart card into the card reader connected to the user endpoint system.

  • A single smart card can be used for authorization in multiple services.
  • Smart cards don’t need electrical energy to function.
  • To use smart cards for authentication, users need specific software and hardware like card readers.
  • The need for associated software and hardware leads to the necessity of constant technical support from system administrators.
  • Certificates stored on smart cards have a limited lifetime. That’s why they require regular updates.
  • A smart card cannot be used with mobile terminals because of their slim design.

Tokenless authentication

Tokenless authentication refers to authorization techniques that happen through digital certificates or personal mobile devices already possessed by users, unlike hardware tokens that need to be separately purchased.

Digital certificates

Digital certificates refer to virtual files or keys stored on the user computers. The most common type of digital certificates is a digital signature used to sign electronic documents.

  • No need for installing additional software
  • No need for deploying additional hardware
  • Digital certificates provide no flexibility since they’re linked to a single endpoint.
  • Anyone using the computer with a certain digital certificate can log in.
  • If the hard disk is reformatted or destroyed, users can no longer get access to their service.

Personal mobile devices

With tokenless two-factor authentication, users may also log in through their mobile devices like a mobile phone, smartphone, or tablet. Users can either authenticate themselves with one-time passwords or biometrics.

  • No need for purchasing, configuring and maintaining additional hard tokens.  
  • All modern mobile devices support at least OTPs.
  • Many smartphones and tablets support authentication based on biometrics via built-in fingerprint and face scanners.
  • Smartphones support a wide range or OTP transmission options that include SMS, authentication apps, IVR, etc.
  • Once user’s smartphone is destroyed or stolen, he no longer can log in unless repairs the device or inserts his SIM card into another smartphone.
  • Those smartphone owners using SMS-based 2FA put their accounts at a risk to be hacked.


According to Statista, the number of those users who use 2FA based on hard tokens has been dramatically decreased within the last decade. 38% of computer owners used hard tokens in 2010 compared to only 19% in 2017. This may be caused by a few two-factor authentication concerns that technology vendors and users usually face.


The synchronization between a client token and server makes the authentication possible. The problem is that they get desynchronized over time. However, some cybersecurity systems like RSA’s SecurID make the resynchronization between the token and authorization server possible by using a set of access codes.

Limited energy

Many hard tokens have unreplaceable batteries that lose their capacity over time like any other modern battery. This leads to the highly limited service life which makes users regularly purchase new physical tokens.

High cost

Among the three authentication factors, the most popular ones are the information users know and data they have rather than something they’re born with. This tendency is based on the high cost of developing and implementing biometrics scanning devices such as fingerprint and retina scanners as well as multiple cameras for face recognition.


The other problem with the use of biometric scanners is the determination of the required accuracy level. If you set the fingerprint scanner resolution to the maximum level, then you may not access your service or device in the case where you have your finger burned or frozen. Therefore, to avoid such errors, scanners are made in the way to match similar fingerprints rather than fully identical.

How hackers bypass two-factor authentication?

Apple two-factor authentication

According to The Register, more than 90% Gmail accounts don’t have 2FA which shows an extremely low level of carelessness among Internet users. However, as our two-factor authentication definition indicates, this technology adds an additional layer of cybersecurity rather than fully protects from sensitive data thefts. 2FA is still vulnerable to some attacks despite it excludes a wide number of their categories. To bypass multi-factor authentication, hackers need to compromise your fingerprints, get access to cookie files or codes generated by tokens.

Account recovery

Hackers can bypass 2FA protection using the account recovery feature vulnerabilities. This is exactly the way how Matt Honnan’s personal accounts were hacked. The journalist from Wired lost access to Amazon, Gmail, Twitter, and even Apple ID. Three years later, a CTO at OneID Jim Fenton tried to do the same with his own Google account. The account recovery feature allowed him to bypass the enabled two-factor authentication. However, I decided to check how this trick works with Facebook in 2018. The social network still requested a 6-digit one-time password. As an option, they offered to submit a request and send either a government-issued ID or take a photo of myself holding a sign with a hand-written code.

Social Engineering

Social engineering refers to various psychological manipulation tricks aimed at making target users provide sensitive information frauds need. This information can include, passwords, PIN, primary account numbers (PANs), address, medical history, etc. To get this data, hackers can use phishing, spear-phishing, and phone-phishing techniques that allow the attackers to avoid the need for compromising sensitive user data and intercepting 2FA one-time-passwords.


Phishing implies sending emails or text messages with a fake story to wriggle into favor and get confidential data or even make victims send money. In this story, for example, an attacker can pretend to be a representative of a service company that requests sensitive data to provide certain technical assistance.


Spear-phishing is another fraudulent technique similar to typical phishing. The only difference between them is that spear-phishing targets certain recipients, for example, top managers. With highly personalized emails, frauds strive to extract confidential corporate information or make the victim perform certain tasks.

Phone/IVR Phishing

Phone phishing differs from ordinary phishing or spear-phishing by the communication method. A scammer calls target people and presents his fake story to make them disclose their sensitive data. Frauds may also imitate an interactive voice system (IVR) to trick their victims in order to achieve the same goal.


Hackers may conduct Man-in-the-browser attacks using cyber viruses called trojans to infect web browsers like Google Chrome or Microsoft Explorer. Once successfully integrated, trojans can intercept sensitive data entered by the user or maintained by online services containing this information. Therefore, users literally provide hackers with the information they need thus allowing these attackers to bypass various protection measures like two-factor authentication.


To hack 2FA, scammers may modify the communication between user’s endpoint and a server in the way to intercept one-time passwords. That’s why the National Institute of Standards and Technology (NIST) has recognized this authentication method as insecure because of the vulnerabilities of the Signaling System 7 (SS7), a set of telephony signaling protocols. To intercept the SMS with a one-time password, hackers replace user data like information about his mobile switching center (MSC) in the Home Location Register (HLR) with their own one. Thus, scammers receive all user’s text messages and incoming calls.

Final thoughts

Unfortunately, two-factor authentication has its vulnerabilities and can’t guarantee third-parties won’t get unauthorized access to your accounts, especially in the case where you receive one-time passwords via SMS. However, this cybersecurity measure can significantly complicate the hacking attack to conduct.

A wide range of services uses 2FA. They include:

  • Microsoft
  • Reddit
  • Discord
  • Slack
  • Linkedin
  • PayPal

The technology will definitely protect your personal data from automated massive hacking attacks. To ensure the maximum level of cybersecurity, you should use your biometrics as a means of the second authentication factor. A fingerprint, face, and voice are those characteristics that are impossible to counterfeit or steal. That’s why 2FA is an effective access control technique.