• All about two-factor authentication (2FA)

    Two-factor authentication (2FA) is a method of confirming users’ claimed identities by using a combination of two different pieces of information or factors

    Back to GlossaryBack to Glossary

    What is two-factor authentication?

    Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. A password is typically considered one factor, and with 2FA that is combined with another factor to increase login security. Factors used for 2FA include:

    teal password illustration

    Something you know

    Password or PIN

    teal mobile phone illustration

    Something you have

    A physical device such as a phone or authenticator.

    teal fingerprint illustration

    Something you are

    A fingerprint, iris or facial scan

    teal pin and credit card illustration

    An example of two-factor authentication

    A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something that the user possesses) and a PIN (something that the user knows) allows the transaction to be carried out.

    The problem with passwords

    teal password and monitor illustation
    Passwords are easily breached

    The typical validation method most individuals and business users use today is a single factor password. But usernames and passwords are stored on a server and can be easily breached as cyber criminals become more organized and adept.

    multiple password illustration

    Too many passwords

    With increasing use of email, social media, and online banking and shopping, most people have a lot of places they need to log in. In fact, most consumers have 150 online accounts and therefore many usernames and passwords to remember! As a result, online users resort to creating several complex passwords – or worse; they use the same password across multiple sites.

    computer environment and password illustration
    Passwords are used repeatedly

    With many users re-using passwords across sites, once a cybercriminal gets their hands on a user’s credentials, those credentials may work across multiple accounts. Two-factor authentication is the best defense users have to protect accounts when their passwords have been stolen.

    3.3 Billion stolen credentials

    reported in 2017

    81% of data breaches

    from weak/stolen passwords

    $3.9 Million average cost

    of a breach ($148/ record)

    Two-factor authentication has become the standard

    Most service providers such as Google, Facebook and Apple already support 2FA and consider it an integral part of the authentication process.

    Types of two-factor authentication

    teal security key illustration

    Hardware Security Keys

    Security

    Hardware security keys offer the highest levels of online security, logging into many services with just one key.

    Ease of Use

    Hardware security keys can offer passwordless login, with no code to enter. Hardware keys typically require no network connectivity, and does not rely on battery power.

    Cost

    Hardware security keys are significantly cheaper than a mobile phone, and in the case of a lost or stolen key, a backup is much cheaper than replacing a mobile phone.

    teal mobile phone and text illustration

    Text Message (SMS 2FA)

    Security

    Not very secure as this approach is vulnerable to phone number porting scams. Also, per NIST Cybersecurity Framework guidelines, the SMS 2FA approach offers a poor security level.

    Ease of Use

    Requires users to retype of copy and paste the one time code which can be confusing or time consuming. This approach typically relies on users having a mobile phone. In order to receive the code the devices needs to have network connectivity and sufficient battery life.

    Cost

    Using a mobile phone as the authenticating device can be very expensive. And, in the case of a lost or stolen device, replacing the phone can be very costly again.

    mobile authenticator app illutstration

    Authenticator Apps

    Security

    More secure than text messages but not as secure as hardware security keys based on public key cryptography.

    Ease of Use

    Requires users to retype or copy and paste the one time code, which can be a confusing and time consuming.

    Cost

    Authenticator apps are often free to download, however it relies on users having a mobile phone. While codes can be available even when the phone is offline, it is reliant on the mobile phone battery life. In the case of a lost or stolen device, replacing the phone can be very costly.

    mobile pin illustration

    Mobile Push 2FA

    Security

    More secure than text messages but not as secure as hardware security keys based on public key cryptography.

    Ease of Use

    This approach typically relies on users having a mobile phone. In order to receive the code the devices needs to have network connectivity and sufficient battery life.

    Cost

    Using a mobile phone as the authenticating device can be very expensive. And, in the case of a lost or stolen device, replacing the phone can be very costly again.

    YubiKey 5 Series family shot
    Find the right Yubikey

    Take the quick Product Finder Quiz to find the right key for you or your business.

    Let’s startLet’s start
    YubiKey standing on rock
    Get protected today

    Browse our online store today and buy the right YubiKey for you.

    Shop nowShop now