Security

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a security method where users confirm their identity with two different factors – typically password (knowledge) plus a second factor such as a one-time code (possession) or fingerprint (biometrics).

Passwords alone are no longer enough. Data breaches, phishing and weak passwords make it easy for attackers to take over accounts. Two-factor authentication (2FA) adds a second layer: even if a password is stolen, access is useless without the second factor. 2FA is now standard for banks, cloud services and increasingly business applications – and should be everywhere.

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA), also two-step verification, requires two independent proofs of identity from different categories when logging in: knowledge (something you know, e.g. password or PIN), possession (something you have, e.g. phone, hardware token, smart card) and inherence (something you are, e.g. fingerprint, face). 2FA is a subset of multi-factor authentication (MFA), which combines at least two of these. Common 2FA methods are TOTP (time-based one-time password, e.g. Google Authenticator), SMS codes, push notifications, hardware tokens (e.g. YubiKey) and biometrics. WebAuthn/FIDO2 is the most modern standard and enables passwordless authentication with security keys.

How does Two-Factor Authentication (2FA) work?

On login the user enters username and password (first factor: knowledge). Then a second factor is requested – e.g. a six-digit code from an authenticator app (TOTP), which changes every 30 seconds. The server compares the user's input with the expected value computed from a shared secret. With hardware tokens like YubiKey a cryptographic proof is sent via USB or NFC. Access is granted only when both factors are correct. With passwordless (FIDO2/WebAuthn) the security key or biometric replaces the password factor entirely.

Practical Examples

An employee logs into company email: After the password, a 6-digit code from the Microsoft Authenticator app is required.

Online banking: After the PIN the user must confirm the transaction via pushTAN app on their phone.

A developer uses a YubiKey as the second factor for GitHub, AWS and internal admin UIs.

A cloud app offers passwordless sign-in via FIDO2 security key or fingerprint (e.g. Windows Hello).

An admin panel requires confirmation via push notification to the registered company phone in addition to the password.

Typical Use Cases

Protecting business applications: Email, CRM, ERP and admin panels secured against unauthorized access

Securing cloud services: AWS, Azure and Google Cloud require or recommend 2FA for all admin accounts

Compliance: GDPR, PCI-DSS and ISO 27001 require or recommend strong authentication for sensitive systems

Remote access: VPN and remote desktop connections are additionally secured with a second factor

Customer authentication: Shops and platforms offer 2FA to protect customer accounts from takeover

Advantages and Disadvantages

Advantages

Much higher security: Stolen passwords are useless without the second factor
Phishing protection: Even if users fall for a fake login page, attackers lack the second factor
Easy to add: Authenticator apps and WebAuthn are integrated in most frameworks and platforms
Compliance: 2FA meets requirements of many security and data protection standards
User acceptance: With biometrics (fingerprint, Face ID) 2FA is now almost seamless

Disadvantages

Extra step: The second factor costs a few seconds per login and can be perceived as annoying
Device loss: If the phone or hardware token is lost, a recovery process is needed
SMS 2FA is weak: SMS codes can be intercepted via SIM swapping or SS7; prefer authenticator apps or hardware tokens
Implementation effort: Integrating 2FA into existing systems requires changes to login flows and user management

Frequently Asked Questions about Two-Factor Authentication (2FA)

Which 2FA method is most secure?

Hardware security keys (FIDO2/WebAuthn, e.g. YubiKey) are considered the most secure because they are phishing-resistant and do not use transferable codes. TOTP apps (Google Authenticator, Authy) also provide good protection. SMS codes are the weakest and should be replaced by authenticator apps or hardware tokens where possible.

What is the difference between 2FA and MFA?

2FA requires exactly two factors. MFA requires at least two and can use three or more. In practice the terms are often used interchangeably because most implementations use two factors. For highly sensitive systems a third factor (e.g. location or behaviour) can be added.

What if I lose my 2FA device?

That is why recovery codes are essential: when enabling 2FA, one-time backup codes are generated and should be stored safely. Organizations should define a recovery process (e.g. identity check by IT admin). Authenticator apps like Authy offer cloud backup. For hardware tokens, register a second token as backup.

Want to use Two-Factor Authentication (2FA) in your project?

We are happy to advise you on Two-Factor Authentication (2FA) and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.

Learn more Get free consultation

Back to IT Glossary