Two-factor authentication is a security verification process in which the user provides two means of identification. In most cases, one of the two factors will be something the user has, and the second will be something the user knows.
The first item is usually a physical token, such as a card, and the second is often a memorized code, such as a password. In other instances, such as when logging into a website, what you know is a password and what you have is a one-time code sent to your smartphone by the service you are attempting to access.
The idea is that the physical token is something that the user, and only the user, possesses. One example would be a debit card — the card is the necessary physical item, and the personal identification number (PIN) is the memorized info that the user knows to log into an ATM. The combination of dual security measures makes it harder for intruders to access bank accounts and steal from victims.
Two-factor authentication is sometimes abbreviated as "2FA" or "TFA" and is also known as two-step verification. It has become prevalent in the digital age.
Google, MSN, Twitter and Yahoo offer two-step authentication for user logins, and it’s also an option for other Web-based services such as Dropbox, WordPress and Amazon Web Services.
Two-factor authentication has become so commonplace that most users don’t even realize they are using it when they hand their debit cards to a clerk and punch in the codes.
Two-factor authentication can reduce the success rate of phishing expeditions, online fraud and identity theft. It requires more than just the victim's password, which, in the past, has been enough to give a thief access to information.
A downside to using two-factor authentication is that hardware tokens, such as a card or key fob, need to be issued, which can slow down business and cause problems for a company. If customers lose their tokens, requests for new ones can cause even more problems and hold up business processes. These physical items can become a hurdle when put in the actual hands of the users, as they are generally small and easy to transport.
Some companies use mobile phones, rather than cards or key fobs, as authentication devices. For example, you can set up Facebook to require, in addition to the typical username/password, a single-use security code that can be sent to a user’s mobile phone. Whenever someone tries to access the account from an unknown browser, the security code is sent to the previously designated phone. If the legitimate user is the only person with access to the phone, this method will stop Facebook hacks and spammers.
However, two-factor authentication needs to be properly implemented. Apple, for example, offers it for iTunes Store accounts, but not for iCloud accounts, even though the same username and password will log into both.
An attacker who stole or cracked an Apple password could leverage iCloud to bypass two-factor authentication, such as by intercepting or redirecting password-reset messages sent to an iCloud email account. He could also read the user's email, erase his iPhone, get all his contact information and access his cloud-based documents.
And if the legitimate user hasn't yet set up Apple two-step verification for the iTunes Store, the attacker could do so instead, locking him out.