What is 2FA/Two Factor Authentication?

Computers are very useful tools, but they are only secure when they can identify and distinguish between users in a reliable and secure way. A computer has no way of knowing who you are, like say your friends, colleagues or partners do. This problem is usually solved with ‘passwords’, which let you into a protected area only if you know them. This works well and is how many services today operate. But there is a problem, what if someone steals your password, looks over your shoulder while you type it, or you simply use the same password for every service (which is a really bad idea, don’t do it!).

Your PC just forwards the password to the service, and It checks if it matches the one on your account, if so that must be you. As far as the service is concerned, anyone who has your password is you and can act on your behalf.

Obviously, this isn’t ideal, but a great and widely used solution to this problem is two factor authentication, which most often uses an external device alongside your password to verify your identity. This device can be your smartphone, a dedicated controller, or even a smartcard.

Authentication with multi or two factor authentication usually works like this:

The service first registers the device as an additional security step, either by synchronizing clocks or by the external device proving knowledge of a secret which grants access.

Then the authentication for each new session works like so:

The service will (depending on the 2FA method) either generate a random string, to be verified by the device when the user interacts with it, or request an additional user input displayed on the device of usually 5-7 digits, which change every 30 seconds or so. This way the user can prove, beyond reasonable doubt, that they are who they say they are.

2 Factor authentication is being adopted by more and more companies as password-only authorization systems are proving to be insufficient for any normal level of security.