What is Two-Factor Authentication (2FA) and Why Should You Use It?

Learn why 2FA is one of the most effective cybersecurity tools you can use across your organization.
Josue Ledesma
5 min read
Last updated March 3, 2022

Two-factor authentication (2FA)  is one of the most effective ways to reduce the risk of your employees falling victim to an account takeover, potentially exposing your organization’s sensitive assets and accounts.

2FA is increasingly supported by many platforms, accounts, and devices, and it’s one of the few cybersecurity tools that provide such robust protection with minimal effort involved, allowing you to implement it in your organization with little friction.

In this article, we’ll show you what 2FA is, why it’s effective, and how you can implement it in your organization.

What is Two-Factor Authentication?

2fa definition

Two-factor authentication is a form of account security and complements traditional forms of authentication such as a password to exponentially increase an account’s protection.

Essentially, two-factor authentication requires two different forms of authentication in order to provide access. Authentication traditionally involves one of the following:

  • Something you are (such as a fingerprint or face ID)
  • Something you know (like your password or a security question)
  • Something you have (like your cell phone or a security key)

Two-factor authentication requires two out of the three to provide authentication. This means you’ll have to enter a password and click a prompt on your phone or enter a password and then enter a pin or code that was sent to your email.

Two-factor authentication doesn’t count if, for example, you’re asked to enter a password, then a security question. These are just additional forms of the same type of authentication and don’t provide as much security.

Why You Should Use Two Factor Authentication

Two-factor authentication arose from a need to increase account security because passwords have become less and less secure.

Past data breaches led to billions of accounts being leaked giving malicious hackers insights into what were the most commonly used passwords and which email/password combinations they could try on other accounts..

Hackers equipped with this knowledge and brute-force tools that could enter millions of different password combinations in seconds made passwords easily exploitable, especially since employees don’t use strong passwords.

2FA ensures that even if a password was compromised, directly or indirectly, it wouldn’t lead to an account takeover. Against automated attacks, 2FA was found to be incredibly effective. Research from Google showed that device-prompt 2FA stopped 100% of automated bot attacks.

Any organization should be leveraging 2FA and many platforms, sites, and tools have an option to force 2FA, increasing the chance of adoption and decreasing the chance of your company being compromised.

Examples and Common Types of Security Authentication Options

There are a number of different kinds of authentication options available. Remember your choice should go straight to the most secure option. Instead, choose the option that’s likely to be adopted and supported in your organization and by your employees.

Something you know (knowledge factor)

  • Password: this is the most common one – you set a password, remember it, and use it whenever you need to access an account.
  • Pin: This is similar to a password but often shorter and number-based, making it even easier to figure out.
  • Pattern: Many phones use this method – you set a specific pattern and use it to unlock your phone whenever you need it.
  • Security Questions: This is commonly used as an additional form of authentication (2FA) and often asks personal questions. However, things like “first school attended” or “mother’s maiden name” aren’t difficult pieces of information to figure out.

Something you have (inheritance factor)

  • Email: After logging in, an account may send a one-time code to your email. Security comes from the assumption that you should be the only one with access to the email associated with the account.
  • SMS: Some accounts will text you a code to enter as an additional form of authentication, assuming you’re the only one able to see text messages.
  • Device prompt: This is similar to SMS but a signal will be sent to your specific device. Once you acknowledge the prompt, you’re authenticated.
  • Authentication app: This works similarly to the device prompt but requires a separate app, like Authy or Google Authenticator. This is also designed to work offline as well.
  • Security key: This is a piece of hardware that, once set up with your account, acts as an additional form of authentication. Each security key is unique so there’s no way for someone to buy a security key and get into your accounts.

Something you are (biometric factor)

Biometric authentication is a relatively new method of authentication and it’s become more acceptable by the end user and companies in the last several years.

They all work the same way – a device or account takes in your biometric information and you present it whenever you need to access an account. If there’s a match, you’re in. Biometric methods include:

  • Face recognition
  • Fingerprint scanning
  • Iris scanning

There are other forms such as DNA, gait and odor but they aren’t leveraged as commonly as the above.

How Does Two Factor Authentication Work?

turning on 2fa

Two-factor authentication is becoming increasingly used and supported by a majority of companies, meaning you can set policies and/or 2FA requirements for accounts such as gmail, Microsoft Office, and more.

Social media accounts, banks, email clients, banking, and payment apps all allow you to turn on 2FA or MFA on and, depending on their support capabilities, you’ll be able to have SMS 2FA, authenticator 2FA, or other forms of 2FA, which do provide different forms of security.

Here’s what you can usually expect after you turn on 2FA.

  • You reach the log-in point either via your app or website
  • You enter your password
  • You’re prompted with the additional authentication factor. This could be a pin sent to your email or phone via SMS, or you may check your authenticator app.
  • You enter the code in.
  • You’re in the account!

On the user side, most forms of 2FA feels just like entering two different passwords – you just have to make sure you have access to your phone or email. For more involved forms of 2FA, you’ll need a separate app (or device) but you’ll get used to it soon enough.

Is SMS Two Factor Authentication Secure?

Despite two-factor authentication’s effectiveness, it’s not without its risks. Traditionally, the more layers of authentication (which is the case with MFA), the more secure your account is. But different forms of 2FA are more secure than others.

SMS 2FA is one of the more riskier forms of 2FA because SMS messages can get intercepted and SMS carries its own inherent risks. It’s still better than having no 2FA but device prompt, email codes, and authenticator apps are all more secure.

Even though SMS 2FA has risks, it is far riskier not to have any form of 2FA enabled, which is why we still recommend considering SMS 2FA above having no 2FA.

How Do Security Tokens Help With Two Factor Auth

security tokens

Security keys (also known as security tokens or hardware tokens) are the most secure form of 2FA and are in a class of their own because they’re security hardware. They’re a physical tool that you have to carry in order to log into specific accounts.

This makes them a bit trickier to work with as there’s a chance that you’ll lose them but the tradeoff in security is massive. After you set up an account with a security token, only that security token can authenticate an account. There’s no other method and malicious actors can’t replicate it.

It’s an incredibly effective form of security but requires more upkeep and may not be supported by all the accounts you want to secure. It may also be more difficult to get all your employees to adopt this more involved form of security.

Conclusion

2FA should not be ignored as an essential component of your cybersecurity arsenal. It’s extremely effective and is already being used and supported by a number of different companies and accounts.

As 2FA becomes more widely adopted, it continues to advance and companies should take advantage of any new methods if they’re more supported and likely to be adopted by employees.

Employees are also becoming more accustomed to using 2FA so you’re likely to face less resistance, making it easier to implement across your organization. It’s worth it and should be a top priority.

To find more ways to protect your organization and data, check out Varonis’ Data Security platform.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

mixed-messages:-busting-box’s-mfa-methods
Mixed Messages: Busting Box’s MFA Methods
Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.
bypassing-box's-time-based-one-time-password-mfa
Bypassing Box's Time-based One-Time Password MFA
The Varonis research team discovered a way to bypass Box's Time-based One-Time Password MFA for Box accounts that use authenticator applications.
crosstalk-and-secret-agent:-two-attack-vectors-on-okta's-identity-suite
CrossTalk and Secret Agent: Two Attack Vectors on Okta's Identity Suite
Varonis Threat Labs discovered and disclosed two attack vectors on Okta's identity suite: CrossTalk and Secret Agent.
caught-in-the-net:-unmasking-advanced-phishing-tactics
Caught in the Net: Unmasking Advanced Phishing Tactics
Learn new, advanced phishing tactics being used by attackers and how your organization can combat them.