What is two-factor authentication? ... and is it enough?

July 3, 2019

What is two-factor authentication?

Customers use the internet to apply for car loans, log into their doctor’s patient portal to make appointments, even stream the game on Sunday. Whatever you’re doing online these days, there’s a good chance you need a password to do it. However, even with a complicated password, your personal information and online accounts are still at risk. Why? Because electronic fraud and hacking are at an all-time high. Data breaches are now a matter of “when" not “if.”   

Sophisticated passwords increase protection against brute force attacks, but long strings of letters, characters and numbers aren’t necessarily enough to help you sleep at night. Plus, if you’re using the same credentials for multiple accounts, the consequences of a breach are even greater, not to mention potentially expensive and time-consuming to repair. To address the liability of protecting online identities and guarding personal data, cybersecurity experts recommend two-factor authentication.

Two-factor authentication, or 2FA for short, requires a password (the first factor) then a numeric code, security token or a biometric such as a fingerprint (the second factor) to access online data. Also known as two-step verification or dual-factor authentication, 2FA validates both sets of user credentials before granting access to an online account.

Most 2FA processes combine two of five common authentication factors: knowledge; possession; inheritance; location, and time. Knowledge factors are items the user knows such as a password or PIN, whereas a possession factor is something the user possesses, such as their mobile phone or an ID. Inheritance factors, also known as biometric factors, include fingerprints, voice tone and other inherited identifiers.

As the name suggests, location factors come from data sources such as IP addresses or GPS software with verifiable location-specific information. Last, but equally valuable in the 2FA toolbox, are time factors where user authentication only occurs during fixed periods and prohibits access outside of these timeframes.

Consumers will likely recognize knowledge, possession, and inheritance factors as the most common 2FA methods from personal experience. However, even though 2FA is familiar, internet users still seem less concerned about password theft than ease of access. Opening their email fast or checking a bank balance as quickly as possible is seemingly more important than securing their online accounts.

Is 2FA enough?

According to Verizon’s 2019 Data Breach Investigations report, companies in every industry are at risk of a breach. “Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it.” Record-setting data thefts at Adobe, Anthem, eBay, Equifax, Home Depot, Hilton, Hyatt, JP Morgan Chase, LinkedIn, Marriott International, Sony Pictures, Target, Uber, the United States Office of Personnel Management, and Yahoo prove if you’re online, your personal information is in jeopardy. Considering the number of businesses reporting cyber incidents increased from 45% in 2018 to a startling 61% in 2019, it seems 2FA isn’t automatically enough to protect your virtual identity, bank account, or credit score.

As an affordable, typically user-friendly process, 2FA minimizes the possibility of online threats such as synthetic identity fraud, account takeover fraud, hacking, and phishing. Still, like any system, 2FA is only as strong as the weakest link.

It's about using the right two factors

Two-factor authentication systems can be vulnerable, unless you use the right combination of factors. Methods that rely on security tokens depend on manufacturer quality, and processes using biometric factors need reliable, secure software as well. Two-factor authentication built on knowledge factors, such as one-time verification code sent to the user’s phone, are susceptible to social engineering hacks. “Any 13-year-old could download the tool and actually carry out these attacks,” says Kevin Mitnick, once one of the FBI’s most wanted hacker. (Read more about the different methods of online fraud in our whitepaper by ex-fraudster, Brett Johnson.)  And research suggests increasing cybersecurity in the C-suite is a smart idea. In 2018, “C-level executives were 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past. Security incidents and data breaches that compromised executives rose from single digits to dozens" as reported by Verizon. No security system is perfect; hackers can intercept 2FA texts as efficiently as they crack weak passwords. When you use the right two factors, like ID document verification hand-in-hand with biometrics, you're ensuring a more layered and more secure approach.

Learn more about our digital ID verification solution