Article

What is two-factor authentication (2FA)?

F-Secure
F-Secure
|
28 Oct 2023
|
8 min read

Logging in with two-factor authentication involves a second step to authenticate your­self. Instead of only inserting your user­name and pass­word, you must also prove your identity in some other way. The second step in two-factor authentication can involve a code sent to your phone with a text message, a personal question only you can answer, your finger­print, or a mobile app, for instance.

Two-factor authentication is some­times also called two-step authentication, two-factor verification, or simply 2FA. The term MFA or multi-factor authentication is used to refer to methods of authentication that involve two steps or more. 2FA and MFA improve your online security by making it more difficult for hackers to access your accounts and steal private information.

How does two-factor user authentication work?

When logging into an account, the user’s identity is traditionally confirmed with a user­name and pass­word. Using a strong pass­word takes you a long way, but even a pass­word does not protect you if it gets stolen. With tools and methods to hack or steal login credentials, a pass­word and user­name are no longer enough to protect your personal data.

The user­name is often your email address and it is usually visible to every­one. There­fore, it is not difficult to guess or find out. And let’s face it, it is often much easier to use the same pass­word for several accounts or choose a pass­word that is simple and easy to remember. When the same pass­word is used on more than one account, criminals can easily access many accounts at the same time. Consider using a pass­word manager to help generate and store strong pass­words.

The methods of two-factor authentication can be divided into three categories:

  • Some­thing you know. This can be a pass­word, PIN code or an answer to a personal question, for instance.

  • Some­thing you have. In this case, you will need a physical object for identifying your­self, such as your phone or credit card. There are even physical security keys used for multi-factor authentication.

  • Some­thing you are. This method of multi-factor authentication is very secure as it involves some biometric pattern, such as the user’s face, finger­print or voice.

In order to prevent their users’ accounts from getting hacked, many online services and web­sites have adopted two-factor authentication. How­ever, in many cases, two-factor authentication is not on by default. Instead, it is up to the user to switch it on manually from the account settings. The way 2FA is turned on in each service and how the authentication works in practice depends on the service. For example, 2FA may be required only when logging in to a new device or every time the user tries to log in to their account.

Why should you use two-factor authentication?

For maximum protection, we recommend enabling two-factor authentication on as many user accounts as possible. Unfortunately, not all services offer two-factor authentication yet, so you will have to rely on using a strong and unique pass­word for logging in.

The methods and tools used by online criminals and scammers are constantly getting more nuanced. There­fore you must ensure that no one but you can log into your accounts and access your valuable information. Although two-factor authentication may seem complicated, it is a simple way to improve your safety online. Here’s how 2FA can help you stay safe:

  • Prevent account take­overs. If an online criminal manages to break into your account, they can steal personal information, such as credit card information, and use them to make purchases online.

  • Prevent identity theft. In addition to account take­over, you may be at risk of becoming a victim of identity theft. The consequences can be serious and expensive if you do not act in time.

  • Prevent fraud in your name. If online criminals get access to your account on, for example, social media, they can use it to spread false messages in your name. For example, the fraudster can take over your Instagram account and try to sell bitcoins to your followers. That is why 2FA not only protects you and your reputation, it stops others from being scammed as well.

  • Take care of your accounts. By enabling two-step authentication, you are forced to think more carefully about your online security. Many people use the same one or two pass­words on multiple accounts because it is easier and more convenient than having to remember multiple strong pass­words. Two-factor authentication is an effective way to raise awareness of online privacy and cyber security.

Multi-factor authentication methods

Based on the three categories, there are many methods used in multi-factor authentication.

  • Personal question. You can set up a security question that only you can answer. Just make sure that the question and answer are not too obvious and easy to guess.

  • One-time confirmation number. Every time you log in you receive a PIN code as a text message to confirm your identity.

  • Face ID. The device must read your face to make sure it is you logging in.

  • Fingerprint. Since every­one’s finger­prints are different, you scan your finger to identify your­self. Modern smart­phones support this login method as well and can read your finger­print through the mobile device’s touch screen.

  • Voice recognition. To gain access to your account, the device has to recognize your voice first. Voice recognition can in some cases be tricked with pre-recorded samples of the real user’s voice.

  • QR code. To log in, you must scan a QR code with an app.

  • Authentication app. For example, many banks use a separate authentication app to log in. After inserting your login credentials, the service sends an authentication request to an app on your mobile device.

  • Security key or token. Physical security keys, such as USB, NFE or Blue­tooth devices, confirm your identity. You carry these with you, so they are secure as long as no one steals them.

How hackers can bypass two-factor authentication

Although 2FA improves the protection of accounts online and makes hacking into your accounts more difficult, there are still ways for online criminals to bypass two-factor authentication.

Social engineering

In social engineering, online criminals exploit one of the weakest links in people’s cyber security: the victims them­selves. Manipulation of users to steal their sensitive information and gain access to their accounts is known as social engineering. One common method of social engineering is phishing. It involves messages and emails to trick people into giving away confidential information or infecting the victim’s device with malware.

To bypass two-factor authentication, an online criminal could impersonate a trusted authority and make up an excuse for why the victim should give away their security code. In case the attacker has already obtained the victim’s user­name and pass­word, they are able to break into the account using the 2FA code.

Brute force

In cyber security, brute force attacks refer to repeated attempts to log in to an account. This is done most often with some kind of soft­ware that tries to guess an account’s pass­word. In case there is no limit to how many times an attacker can input an incorrect pass­word, sooner or later they will crack the code, in case the pass­word is not secure enough. The longer and more complex the pass­word, the longer it takes to break it with brute force.

The same applies to 2FA codes. Especially if the code is short, only four to six numbers, the code can be cracked using this method. To prevent this, the code might be active for only a short time or the authentication is limited by only a few failed attempts.

Reused tokens

Many methods of user authentication generate a token used for authentication on the spot. How­ever, in some cases, there can be a list of tokens generated in advance. The hacker needs to know which token to use and they can bypass two-factor authentication. How­ever, the hacker needs to first get the victim’s user­name and pass­word as well.

Malware

Online criminals can use malware to bypass two-factor authentication and access the victim’s online banking account, for instance. Some advanced Android Banking Trojans are capable of impersonating legitimate banking apps and trick the victim into authenticating the criminal’s access them­selves. In addition to online banking, similar malware causes harm in many crypto­currency services.

Changing the victim’s privacy settings

The security code or token used for 2FA is often sent to the user’s phone with a text message. How­ever, online criminals can exploit this method of authentication if they are able to change the user’s security settings. Hackers can change the phone number to which the security code is sent. Instead of the account’s real owner receiving the security code needed for authentication, the code is sent to the criminals who can then use it to access the victim’s account.

Sections

In this article:

How does two-factor user authentication work?Why should you use two-factor authentication?Multi-factor authentication methodsHow hackers can bypass two-factor authentication

Keep your accounts safe with F‑Secure Total

Account take­over is unfortunately only one of many online threats. That is why you need an advanced cyber security solution to protect you from malware, hacking and other dangers online. F‑Secure Total not only comes with the tools to manage your pass­words and warn you if your identity is at risk. It also offers an anti­virus program to fend off viruses as well as a VPN to protect your privacy online. Try F‑Secure Total for free and stay safe on the internet.

Read more and try for free