Two-Factor Authentication (2FA)

Authentication is an essential part of verifying a digital identity and therefore a crucial foundation of every IAM process. Authentication is the process by which you verify whether a user, application or device is genuinely who or what they claim to be. Hence, you check if the provided digital identity matches the authenticity features and data known to your system. Whereas single-factor authentication (authenticating with just a username and password) used to be the standard, more and more organisations nowadays opt for what is known as strong authentication. Two-factor authentication is one form of this strong authentication. But what exactly is two-factor authentication? And why is it a step forward compared to single-factor authentication?

What is two-factor authentication?

Two-factor authentication also makes use of the combination of username/password but adds an extra step to it. After entering these two credentials, a system or admin asks you for an additional verification key. Two-step verification is often used synonymously with two-factor authentication. With two-factor authentication, you need two (usually a combination of the first two) of the following three things:

  • Something someone knows (password, answer to security question)
  • Something someone has (phone)
  • Something someone is (fingerprint, iris scan, facial recognition)

The additional credential is personal and solely in your possession. A commonly used method is sending a code or text message to your phone or to an email address you own. This means a stolen or found password is not enough for a hacker or cybercriminal to gain unauthorized access to your data or digital environments. With two-factor authentication, you add an extra layer of security thanks to the combination of what you know and what you have.

Examples of two-factor authentication

There are several well-known examples of companies or platforms that use two-factor authentication. With Microsoft, for instance, you can enable it under the section ‘Additional security options’. You can then choose from various sign-in methods, such as receiving a text message with a verification code or using the Microsoft Authenticator app. After configuring the app, it sends a notification during the sign-in with your Microsoft account. You simply need to confirm this to gain access.

Google, Apple ID and recently also Facebook (code sent to your mobile phone) offer two-factor authentication options. Even a government portal like DigiD uses two-step verification, where after entering the username and password, an access code is sent to one of your own (trusted) devices.

Multiple registrations

There is also a way to make two-step verification even faster and easier. With apps like Microsoft Authenticator and Google Authenticator, you can manage multiple services with two-step verification (such as Outlook, SharePoint, OneDrive, Gmail and Google Drive) without having to use a separate authentication app each time. You can add a service using the plus sign or scan a QR code that links a service to the app.

Why are two-step verification and 2FA important?

Hackers and malware are increasingly (automatically) looking for your login details. Therefore, an extra security key is not a bad idea. With two-step verification and two-factor authentication, you better protect your email accounts, business environments and social media against cybercrime.

To what extent two-factor authentication increases your security depends greatly on the security of the second component. If, for example, this is a code via email, a hacker who has already broken into your computer will probably have little trouble cracking the second factor. An SMS code sent to your mobile phone is a lot more reliable. A hacker who wants to log into your account would then need access to both your computer and mobile phone.