What is two-factor authentication (2FA) and how does it work?

May 23, 2022

By now, most people understand the dangers of protecting accounts, business data, information and online filing with basic passwords. Yet, you'd be surprised how often people are still using their birthdays or their pet's name as a password, or even just "password". The transition to stronger methods of authentication has been a slow one. Why is that? It's partly to do with our own behaviour; the more systems a person needs to log in to, the harder it is to remember all the different passwords, which is why they often have One Password to Rule Them All… or, astonishingly, write the passwords down somewhere. The problem is that if the password is guessed, phished or stolen, all those systems are in danger of being compromised.

When you're developing your security strategy, you need to emphasise to your team the importance of coming up with random, complex passwords - or even better, pass-phrases - that are managed in a password manager. However, to truly add another layer of protection around your business and customer data, using two-factor authentication (2FA) is essential.

The importance of two-factor authentication

2FA is a subset of multi-factor authentication, which is an authentication method requiring that identity must be proved in multiple ways before accessing an online system. 2FA requires a combination of factors - most commonly, a numerical code being texted to a phone number that is then inputted, forming the second factor in the authentication process.

Since the advent of Covid-19, hybrid remote/office environments are becoming increasingly common. People like the flexibility of being able to work from home, but this does make it more important than ever to strengthen authentication processes. Cybersecurity is no longer a focus of just the office environment; businesses need to mitigate security risks and add protection at the device and application level. And that's where 2FA comes in.

The second factor doesn't have to be a code sent to a mobile phone. There are a number of options when it comes to that second step, including:

• Voice 2FA - the user receives a voice message which supplies the code

• Hardware tokens - this is a physical device like a keyfob or USB. It might have to be inserted into the device before logging on, or it displays a digital code that then has to be entered

• Software tokens - downloadable apps that receive the code needed before logging in

• Push notifications - after downloading a push notification app to a smartphone, notifications are sent to it requesting users to approve a login attempt with a tap

These are some of the more common methods of 2FA, but they can become even more sophisticated, such as using fingerprint scanners or other biometric methods.

The reality is that if you're serious about protecting your business and customer information, and about the security of your online systems, even strong passwords aren't sufficient anymore. They can be guessed or phished, whereas 2FA means that even if a password has been stolen, there's still protection with that second authentication step.

Unbeatable cyber resilience 🦹

Winner of 2021 iSANZ Best Startup

“The pre-built policy was one of the most valuable features for us. And the list of action items we needed to get better. I can tell the board that we have a security policy in place and we're working through the list of standards. It's a really easy way to get your security sorted. That's the main thing for us ⏤ it makes our lives easier.”

Tane van der Boon

Founder & CEO