What is 2 factor authentication and how does it work?

What is 2 factor authentication and how does it work?

Nikki Reiner picture by Nikki Reiner·Updated 10 Dec 2022·7 minutes to read

Two-Factor Authentication (2FA) your secret weapon against hackers! In this article, we will show you how 2FA works, why it’s important, the different kinds of 2FA, and how to set them up on your various accounts. Let’s get started!

What is Two-Factor Authentication(2FA)?

Two-factor authentication is an authentication method that requires two pieces of evidence to be granted access to a certain account. 2FA, usually requires information like Password “something you know”, Hardware token or a smartphone “something you have”, and Face ID “something you are”

So how does 2FA work in real situations?

Let’s say you want to login into your account without two-factor authentication. As a rule, all you need to do is to enter your username and password…and that’s it! Simple right? but it’s also simple for hackers to access your account. Now, let’s imagine you set up Two-Factor Authentication(2FA) for your account. The system or service will ask to enter your username and password followed by another extra factor giving it another layer of security for instance: a temporary number (something you know) or plugging in a security key (something you have). Once this has been confirmed, you will then be granted access to your account, as usual.

Why is 2FA important?

2FA offers an extra layer of security for your accounts. The main mission is to ensure exclusive entry - to make sure that the person trying to log in is yourself. Nowadays, users are even more getting targeted by online threats of all sorts including malware, cameras recording keystrokes, credential stuffing, SIM swaps, brute-force attacks, and large-scale data breaches on organizations. In a few words, a password isn’t enough anymore… and a second factor is a must-have!

What happens if someone gains access to your account?

There’s no need to say that one of the worst scenarios is getting access to your primary email account, as this will allow the hacker to access and reset the password for all your other accounts/services. They might read and delete your emails; make online purchases in your name; steal your digital currency; blackmail or extort you; impersonate you; delete your files and backups; and, if you’re not able to regain access, lock you out of your important accounts forever. But all these undesirable situations could be easily avoided with Two-Factor Authentication(2FA).

What are the different forms of Two-Factor Authentication(2FA)?

There are a handful of different kinds of 2FA that you should know about their advantages and their disadvantages. Here we will be mentioning the following: SMS Text, Authenticator App, and U2F security keys.

SMS Text

After identifying your username and password, the server or system will ask you to provide a number through which a final code will be sent by SMS. Yet, beware as these codes expire within a short period of time. Even so, Phone Verification has its disadvantage: SIM SWAP! SIM Swap fraud basically transfers the details of your phone number to another device. It starts with the fraudster trying to gain all kinds of information about the victim which will be then used to contact the victim’s mobile phone provider and request to transfer the victim’s SIM to itself. Once this happens, the victim’s phone will lose connection to the network, and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via text or phone calls and thus gives them access to two-factor authentication methods of accounts (be it their bank accounts, social media accounts, etc.)

Authenticator App

Two-Factor Authentication using an Authenticator app works similarly to SMS authentication, after, identifying your username and password you will need to enter a unique code generated in Authenticator App. However, the main difference from SMS authentication, the codes are generated based on a Time-Based One-Time Password or (TOTP) on your device, and the codes are not delivered over the mobile network. In other words, hackers can’t intercept the codes as in SMS text. TOTP is usually a 6-code valid for 30 to 90 seconds that has been generated using the value of the (Shared Secret) and system time. Shared Secret is a unique secret key shared between the Authenticator App and the server. The secret key is generated only once, and then both the Authenticator App and the server keep it safely stored on their ends.

Let’s simulate a real case, for example, I want to set up 2FA for my Facebook account. In this case, I will download Authenticator App by 2Stable, once downloaded, I will open it and will tap on “+”, next, I will log in to my Facebook account and set up the 2FA (Two-Factor Authentication). Once enabled, Facebook will generate a QR code with the unique secret key that I need to scan with Authenticator App by 2Stable. Immediately after, Authenticator will start generating codes - even offline - that will be used as the second factor. In other words, I will need to enter the code from Authenticator App by 2Stable every time I would like to log in to my Facebook account. You can find a detailed guide on how to set up 2FA (Two-Factor Authentication) for your Facebook account.

Even if the two-factor authentication via Authenticator App is a good choice to secure your accounts it doesn’t mean you’re totally protected from attacks. Your accounts will still be vulnerable to phishing! A phishing attack will trick someone into giving away their login credentials with a fake website that looks almost exactly like the login page to an original service. Usually, you will be sent an email to change your password due to suspicious activity on your account. A hacker will provide you with a link to a fake login page for your service, once you enter your login credentials on this phishing page, the hacker’s automated system will grab the login credentials you type in, including your username, password, and 2FA code. Hacker’s computer will then quickly log into your account on their behalf and will then change your password and 2FA codes, locking you out of your own account.

If you want to find more information on how to enable the 2FA for your accounts you can check our guidelines for the most popular services: Facebook, Instagram, Snapchat and others.

U2F Security Keys

Another example of Two-Factor Authentication (2FA) is U2F security keys. Universal Second Factor (U2F) security keys are small devices you can carry on your keychain and can be used as a second factor. They can only be validated by a single device (or whatever set of security keys you’ve pre-associated with your account). Using a 2F key is as easy as sticking to your device and touching a button. Whenever a service asks for your second factor, you plug your U2F gadget into your desktop device and tap on its little conductive metal button to prove you are there with the device. The device checks the website URL that you are on and does some cryptographic wizardry to generate a validation code that it then sends back to the website you are trying to log into.

U2F gadget is a good choice and it’s very secure, still, as with all security methods it also has weak sides, in most cases, you can just lose your U2F device or someone can steal it from you. Never forget that it’s a physical device that you always need to take care of.

Final Thoughts

All in all, there are several 2FA methods to choose from and you can decide the best option that better suits your needs. Whichever option you pick, most importantly, if you’re reading this you should have your Two-Factor Authenticator running!

  • Published: 04 Nov 2022

  • Modified: 10 Dec 2022

More on this

Here are some more articles you might like to read