Two-factor authentication (2FA) is a security policy that adds an extra layer of verification to user authentication, such as logging into an online account. It requires the user to provide two forms of identification (or “factors”) before gaining access to the account or system. This typically involves combining something the user knows (such as a password) with something the user possesses (such as a mobile device or security token).
The first factor is usually a username and password combination, while the second factor adds an additional layer of security by requiring the user to provide another piece of information, which can include:
-
One-time passwords (OTPs): A unique code generated for a single login session, usually sent via SMS, email, or generated by an authenticator application. OTPs sent by SMS or email prove that you have access to the given phone number or email account, respectively, while OTPs generated by an authenticator application prove that you are in possession of a particular cryptographic key.
-
Hardware tokens: Physical devices, like USB keys or smart cards, that generate unique codes for a single login session. Providing the unique code proves that you are in possession of the physical device. This is similar to using an authenticator application, but has security advantages by virtue of being isolated to its own physical device.
-
Biometrics: Using physical characteristics, such as fingerprints or facial recognition to prove that your are physically present.
2FA can greatly enhance security by reducing the likelihood of unauthorized access even if an attacker has obtained your password, which can happen in any number of scenarios. For example, your password may be guessed, intercepted by an adversary, or obtained from a breached online account. Not all forms of 2FA are equally effective, however.
While SMS is commonly used as a second factor in 2FA systems, it has significant disadvantages, and should therefore be avoided. SMS can be intercepted through various methods, such as SIM swapping, to gain access to the OTP and use it to impersonate you. Of course, SMS-based 2FA requires that you provide a phone number to the service operator, which may be used to de-anonymize you.1 It also requires you to have a mobile phone on your person connected to the cell network, which comes with a host of privacy disadvantages unrelated to 2FA. Furthermore, SMS- and email-based 2FA is susceptible to social engineering attacks wherein an attacker convinces you to disclose the OTP.
Biometric methods of 2FA have even more severe privacy and security drawbacks. First, registering biometric data in itself can pose a privacy risk in cases where you are potentially disclosing the biometric data to another party. Second, biometrics are difficult or impossible to change (such as your fingerprints), and can be spoofed using photographs or more sophisticated methods. Finally, biometrics-based authentication is easy to bypass without your cooperation or through coercion. For instance, if you are being physically detained, a camera can be aimed at your face or your finger placed on a fingerprint sensor without your consent.
Considering these weaknesses, alternative, more secure 2FA methods should be relied on, such as hardware tokens or authenticator applications.