Authentication is the first line of defense for network security. It is the process of determining whether a user is whom they say they are. Not to be confused with the step it precedes—authorization, which is purely the means of confirming digital identification, so users have the level of permissions to access or perform a task they are trying to do.

Traditionally, users have relied on and are accustomed to authentication systems that require them to provide a unique identifier such as an email address, username or phone number and a correct password or pin to gain access to the system.

Now many sites or apps extend this paradigm by adding one or more additional steps to the authentication process, most commonly requiring the user to enter a one-time token that is dynamically generated and delivered through a method that only the user has access to. Another common method is to use the user’s biometric data such as fingerprints or retina as a second factor. This approach is not new, in fact, the technology was conceived way back in 1984.

There are many types of authentication, including Single-Factor/Primary Authentication (SFA), Two-Factor Authentication (2FA), Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

Among them, two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. It is implemented to better protect both a user’s credentials and the resources the user can access.

Two-factor authentication provides a higher level of security than authentication methods that depend on SFA, in which the user provides only one factor – typically, a password or passcode. 2FA relies on the user providing password as the first factor, and a second, different factor – usually either security or biometric factor.

By adding an additional layer of security, 2FA makes it harder for attackers to gain access to users’ devices or accounts, because even if the password is hacked, they still cannot pass the authentication check. It is usually used to protect sensitive systems and data. It is increasingly popular among online service providers to protect their users’ credentials from hackers.

Authentication Factors

2-FA methods include three “somethings”:

• Something you Know – the password or pin for an account
• Something you Have – a physical device such as a mobile phone or a software application that can generate one-time passwords
• Something you Are – a biologically unique feature to you such as your fingerprints, voice or retinas

There are several ways in which users can be authenticated:

Knowledge factor is something the user knows, such as a password, a personal identification number (PIN) or some other type of shared secret.

Possession factor is something the user has, such as an ID card, a security token, a cellphone, a mobile device or a smartphone app, to approve authentication requests.

Biometric factor/inherence factor is something the users are. They inherent in the user’s charateristics such as fingerprint. Other commonly used inherence factors include facial and voice recognition or behavioral biometrics, such as keystroke dynamics, gait or speech patterns.

Location factor is usually denoted by the location from which an authentication attempt is being made. This can be enforced by limiting authentication attempts to specific devices in a particular location or by tracking the geographic source of an authentication attempt based on the source Internet Protocol address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user’s mobile phone or other device.

Time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.

Pros and Cons for Some Types of 2FA

The most basic 2FA methods are SMS, email and phone tokens. The SMS tokens are text messages with a normally 5-10 digit code. They are very user friendly and available, and it is not expensive to set up and maintain. But they can be intercepted by 3rd parties. Email tokens are similar, but they are both available on computer and mobile devices. A phone call is an alternative requiring less bandwidth. They are also inexpensive and easy to maintain, but at the same time facing security issues because they can be intercepted, forwarded or voicemails hacked.

Biometric Verification is unique because the user themselves become tokens. It also offers many options such as fingerprints, retina and voice. But it has privacy concerns and requires an extra cost on specific devices.

Hardware token is common in an enterprise environment but can be used in any system. It requires the user to carry a physical device such as a key fob, USB dongle or other devices that dynamically generates a token for the user. The token is generally valid for a short period of time. It does not require reception or an online connection. The device is built only for this purpose and is hard to exploit. But the system is expensive to set up and maintain. And it can be troublesome when the device is forgotten or lost.

Software token requires users to download and install an app that dynamically generates token for the user. This is going popular because of the rise of smartphones. It is similar to a hardware token, but without a physical device. This kind of token is expensive to implement and maintain.

How To Set Up?

It is up to the vendor to decide which authentication methods a website or application provides. 2FA usually prompts users to enter their information, usually an account and password. The server then matches and identifies the user. The site then prompts the user for the second level of authentication, where they usually have to prove their identity through things like biometrics, security tokens, and mobile devices. Users may need to enter a one-time code on their phones. Finally, they gain access.
Many apps, including Facebook, Google, and others, allow users to customize whether or what 2FA methods they want. Users can usually find it on the setting page. Some 2FA will be activated under certain conditions such as when the user has not logged in for a long time or tries to log in using another device.

Future Outlook

Account and password as a traditional way will still exist in large numbers, but the password database as an outdated system has been unable to meet the current network security requirements. In the future, more sites and applications will choose a variety of authentication methods according to their own needs, and factors such as location and time will be more utilized. Biometrics, such as a user’s typing speed and mouse movement, could also be developed in this area to enable continuous rather than one-off authentication.

Many organizations will move to password-less authentication, where they can securely authenticate themselves in their programs. For example, the use of blockchain, through decentralized identity or self-sovereign identity, is also gaining attention as an alternative to traditional authentication methods.