Two-Factor Authentication

Credential stuffing, phishing, and leaks regularly topple production apps. These attacks drain budgets and erode trust amongst your users.

Adding a second verification step to your sign-in flow via two-factor authentication shrinks that attack surface to provide further protection and risk mitigation.

What Is Two-Factor Authentication?

Two-factor authentication (2FA) is a login process that increases online security by requiring users to provide two forms of identification before they can access their account on an application or system.

As a subcategory of multi-factor authentication (MFA), the goal is to protect user accounts against unauthorized access. So, if a single user credential (like a password) is compromised, the account remains secure.

The three main types of authentication factors are:

• Knowledge: Something the user knows, like a password or username
• Possession: Something the user has, like a cell phone, hardware token, or API key
• Inherence: Something the user is or possesses inherently, like a fingerprint or facial recognition

2FA requires one item from two of these categories to access your account.

For example, you might need to enter a password (something you know) and confirm the login with a temporary passcode (something you have) sent by text message to your phone. Two forms of identification from the same category do not count as 2FA, such as a username and password.

In developer environments, you might need a login and a time-sensitive API token (knowledge and possession-based 2FA) to securely access APIs.

This form of MFA is increasingly common in general, particularly in high-security environments like telemedicine, where protecting patient data is a critical compliance issue.

How Does 2FA Work?

2FA provides a second layer to verify a user's identity more completely during the login process.

Here's what a typical flow looks like:

• Step 1 (Credential Entry): The user enters their username and password.
• Step 2 (Secondary Challenge): The system confirms these credentials. If they're correct, it triggers a second factor, such as a code sent by email or generated through a dedicated authenticator app.
• Step 3 (Verification): The system checks the secondary challenge and grants access if correct.

2FA systems commonly use one-time passcode (OTP) algorithms or time-sensitive codes. Other methods include push-based approvals, such as sending the user a prompt via a trusted device.

Developers must weigh security considerations with good user experience (UX) when deciding which MFA method(s) to use. Complicated authentication without clear fallbacks for account recovery can be extremely frustrating.

Additionally, during setup, developers must also work to minimize latency (the time a user waits to receive the secondary authentication prompt). 

Benefits of 2FA 

2FA provides benefits across security, compliance, and user satisfaction. By implementing it, you can prevent attackers from accessing user data and potentially avoid regulatory fines.

Here's a breakdown of the benefits:

Blocking Credential Stuffing and Phishing

With this method, you're providing an important safeguard against attacks based on stealing user credentials. So, even if a user has their password stolen through phishing or exposure to a data breach, their second authentication factor stops any unauthorized access.

Consider credential stuffing. Hackers use automation to attempt to gain access with login credentials they've gained from a breach. If 2FA is enabled, such as authenticator apps or codes sent through SMS, these attempts are unsuccessful. Plus, your user will likely receive a notification for the second authentication and be prompted to change their password and re-secure their account.

The fallout of a data breach brings severe reputational damage and potential compliance violations, particularly in industries that handle sensitive data like fintech. This method adds a layer of protection that secures both your user data and your business.

Improving Compliance

MFA steps are now a requirement in many industries. It's often mandated as a core control through regulations such as HIPAA, GDPR, and PCI DSS to reinforce data protection and privacy standards.

For example, HIPAA requires healthcare entities to employ technical methods to safeguard electronic protected health information (PHI). This covers certain health and personal identifying information stored or transmitted electronically, such as a patient's name, address, or date of birth. HIPAA requires healthcare companies to use end-to-end encryption, access controls, and 2FA to secure this information.

Increasing User Trust 

Users are becoming extremely savvy about keeping their data safe online, especially when it comes to sensitive information like entering credit card details. Knowing 2FA is in place provides peace of mind for your users and instinctively builds more trust in your platform.

Many security features, like encryption, run in the background, but 2FA is user-facing. Since the user interacts with it regularly, it reinforces your environment's commitment to security and data protection.

2FA vs MFA

MFA is an umbrella term, and 2FA is a subcategory within it.

2FA dictates that two different types of credentials from two separate categories (knowledge, possession, or inherence) are used during login. MFA is a broader term that refers to any authentication process that uses two or more factors.

Advanced authentication methods like WebAuthn and passkeys use possession and biometrics to keep user logins secure without needing passwords at all. It's the beginning of a shift towards a passwordless future, where remembering usernames and passwords will become a thing of the past. Ultimately, the goal remains keeping security and UX at the forefront of the login experience. 

2FA Methods

SMS/Voice Codes

One of the most common methods is sending a one-time password (OTP) to a user's phone via SMS or an automated phone call. To continue, the user then enters the password (usually a five- or six-digit code) on the login screen.

SMS codes are sent via text, whereas voice calls use voice APIs to trigger automated phone calls that read the code to users.

Developers can use this method in areas with poor internet access or on non-smartphones. However, it's important to note that it's not immune to attacks such as SIM-swapping, where attackers trick your mobile carrier into diverting your cell phone number to a new SIM card.

Authenticator Apps (TOTP)

Authenticator apps, such as Google Authenticator, protect accounts by generating time-based one-time passwords (TOTP).

The app typically provides a 6-digit code which refreshes every 15-30 seconds. The "live" code needs to be entered during the login process before it times out.

Authenticator apps generate the login codes locally on your device, making them more secure than SMS/Voice as they're not transmitted through internet or mobile networks, which can be intercepted.

Some providers develop their own authenticator apps for users to download, such as Salesforce Authenticator. Others allow users to connect their accounts to third-party options like Google Authenticator or Microsoft Authenticator. 

Hardware Tokens

Hardware tokens usually come in the form of a small keyfob or USB stick to provide "something you have" 2FA. They either generate TOTP codes or store cryptographic keys for secure offline authentication.

Since they operate entirely offline, they're essentially immune to phishing scams or malware attacks. However, it can be inconvenient for the user if they lose the physical authenticator. You'll often see these used in corporate settings, especially in highly regulated industries like financial services, when employees must log in from home.

Biometric Second Factors

Biometric 2FA uses physical traits unique to the user to verify their login attempt. These are typically things like fingerprint scans, facial recognition, or iris scans. They're low friction for the user, and since the biometric data is usually stored locally on the device, it's hard for attackers to intercept or duplicate.

It's an extremely effective method in terms of security. However, it's important to have strong fallback mechanisms in place so users can still recover their accounts if the data is somehow compromised.

Mobile 2FA and Trusted Devices

As part of the mobile experience, many apps allow users to register their phone or tablet as a "trusted device." This means the login has already been authenticated on the device and doesn't need to be repeated to access the account again.

It makes logging in far more convenient for users while keeping them secure. Users can often leverage a prompt from their trusted device to verify login on a new device, too.

Sometimes, apps will require users to re-authenticate the login in the name of security. For example, if they haven't used the app within a certain timeframe or the IP address of the device changes.

The trusted device scenario improves UX while balancing security and often reduces abandonment. It's commonly seen in social media apps.

Common fallback mechanisms include one-time backup codes to ensure account recovery is possible.

Implementing 2FA

Adding 2FA to your app strengthens account security for users. But balancing that protection with good UX is just as important. Here's a quick step-by-step process for 2FA implementation:

Step 1: Choose Your Authentication Factors

Decide which secondary factor your app will support. Username and password are the most common first factor and this falls into "something the user knows." So, your second factor will need to leverage either "something the user has" (OTP)  or "something the user is" (fingerprint or facial recognition).

Within that range, you can choose from SMS codes, authenticator apps, biometric verification, or even give your users a choice of secondary authentication methods.

Step 2: Generate and Deliver the Second Factor

Ensure the use of established protocols such as TOTP or WebAuthn to generate time-bound verification challenges. The user also needs to trust the channel through which you deliver the method, which is why SMS and email are popular choices.

If you use SMS or Voice APIs, make sure it's through a trusted and reliable provider.

Step 3: Verify and Bind the Factor to the User

When a user submits their second factor, verify it securely and use device or authenticator keys to bind the authentication method to their user profile. This means your system can trust any future logins from the now-known endpoint.

Step 4: Handle Fallbacks and Recovery

Sometimes, 2FA methods fail or can't be used anymore, like when a user changes their phone number and can't receive the SMS verification. Fallbacks are necessary for users to recover their accounts in these scenarios, so make sure you provide alternative methods like recovery codes.

Step 5: Assess and Improve the UX

Security is essential, but so is good UX if you want to retain users. Continuously evaluate the login and authentication experience for your users to maintain a balance between security and usability. Track metrics like login abandonments and monitor the speed of SMS and email delivery to keep friction at a minimum.

Frequently Asked Questions