Security in Plain English: What is Two-Factor Authentication

Back to Blog
January 09, 2018
Mike Talon

Security in Plain English Series

What is Two-Factor Authentication?
Why Do I Have to Change my Password Every 30/60/90 Days?
Office 365 Phishing
What is a DDoS Attack?
What are Red, Blue, and Purple Teams?

“Companies like SecureAuth provide two-factor authentication when I log in, and my bank and other websites have started using it. What is it, exactly, and why do I need to take an extra step?”

Your bank, Facebook, GMail, Outlook.com and lots of other sites (including your company) are asking you to turn on multi-factor authentication (MFA) to make your account and your online activity more secure. At its heart, MFA is simply a way to help ensure that the person trying to log into a resource is who they say they are, by going beyond the username and password alone. As a result, you are protecting yourself from account takeover and identity theft where someone else fraudulently uses your login credentials.

 

2-step verification for your online accounts – How it works

A 2-step verification is a common login process where in step 1 you provide your username and password and in step 2 you enter an OTP code. Hence the name “2-step verification”. 

  1. You go to log into a site or application. You provide your username and password (sometimes just the username).
  2. An authentication system checks your login request to see if it knows who you are already. The authentication system (sometimes called the “IAM system”) checks for several characteristics of your login attempt. These characteristics may include: the device you’re currently using, your physical location, if you are connecting over a Virtual Private Network (VPN), if you’re using an anonymizing service like TOR or others, etc.*
  3. If the IAM system cannot confirm that you are who you appear to be, or if there’s any question as to you being who you are, then it asks you to provide another factor (which is where Multi-Factor Authentication gets its name) to prove your identity. Factors range from a One-time Password (OTP) that can be delivered by text message or read from a smartphone OTP app, a push request sent to your smartphone or some other challenge that requires you have some other device in your physical possession.
  4. If the login screen didn’t ask for your password before, you enter it now.
  5. You’re successfully logged in.

*) Discrepancies in your location, IP address or device are all reasons for OTP prompts.

 

Two-factor authentication – It’s about What you know & What you have

Multi-Factor Authentication, or 2FA, is based on the idea that in addition to something you know (your username and password), you also prove who you are with something you have (a smartphone, etc.) or something you physically are (a fingerprint, facial recognition, etc.). The combination of these factors helps to ensure that the person typing in the username and password is who they say they are because they also have access to the additional factor.

The reason two-factor authentication is becoming popular is because usernames and passwords alone aren’t particularly secure anymore. Not only do people re-use passwords on multiple sites, but many also choose passwords that are either easy to guess or are short enough to be guessed by trial-and-error. Since a simple username and password combination is no longer enough to prove identity, looking for some other factor is a logical next step.

 

Why should I stop using passwords and use OTP instead?

We carry mobile or smartphones with us everywhere these days; so text messages with an OTP or a iOS/Android authenticator app that can receive a push alert are popular MFA options that don’t inconvenience the user. Smartphones are also quickly becoming capable of using fingerprints and other biometrics as identity factors – and as such, sites and applications are beginning to accept those for MFA too.

 

Keep me signed in – a path to less frequent OTP prompts

Note that some systems don’t check to see if they recognize you before prompting for two-factor authentication, so you might get challenged every time you log in. That’s inconvenient, so more and more systems are switching to a more adaptive authentication workflow. That means users go through fewer MFA challenges while not sacrificing the security of your account and data.

You may also see a “Keep me signed in” checkbox on the login screen. If the computer is your personal device (not a shared PC), go ahead and check this option. The “Keep me signed in” option will create a persistent cookie in your browser and your session will – for a period of time – remain active when you close and reopen your browser.

Logins with MFA or 2-step verification are becoming more and more popular as passwords get less and less secure. Therefore it shouldn’t be a surprise if sites and companies that didn’t use them before start using them now. If your workplace IT department needs you to use two-factor authentication for corporate access, they’re trying to keep your data and your identity safe. It only takes a few extra seconds, but can save the company millions by avoiding a data breach.

Security in Plain English blog series is aimed to help end users understand why IT Security enforces policies and how to best protect themselves in a digital world.

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

SecureAuth Authenticate App

Passwordless MFA client with
Symbol-to-Accept. Stronger security.

The Value of Deploying Multi-Factor Authentication in a Digital World

Value of Deploying Multi-Factor Authentication in a Digital World

Read this white paper to gain insights and understanding of why passwords create risk and blind spots for organizations and their users.

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Analyst Reports

Documentation

Events

Recorded Webinars

Innovation Labs

Support Portal

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Careers

Contact