Learn about different types of two factor authentication and the pros and cons of each.
Two Factor Authentication (2FA or TFA) is the technical term for the process of requiring a user to verify their identity in two unique ways before they are granted access to the system. Traditionally, users have relied on and are accustomed to authentication systems that require them to provide a unique identifier such as an email address, username or phone number and a correct password or pin to gain access to the system.
2FA extends this paradigm by adding an additional step to the authentication process, most commonly requiring the user to enter a one-time token that is dynamically generated and delivered through a method that only the user has access to. Another common method is to use the users biometric data such as fingerprints or retina as a second factor.
Two Factor Authentication is not new, in fact the technology was conceived way back in 1984. It is increasingly important in the modern world as more and more of our lives, both personal and business, move to digital mediums and the threats of hacking, theft and loss of access can have dire consequences.
For years, companies have tried to enhance the security of user authentication by requiring ever increasing requirements like length of password, special character requirements, requiring the user to change their password frequently, sophisticated hashing and salting algorithms that conceal the actual password and much more. At the end of the day, a password only system is still vulnerable as users tend to use the same password across multiple systems, phishing and social engineering techniques that get the user to unknowingly reveal their password are all too common and many other scenarios can lead to a password being compromised.
Two Factor Authentication gives the user and system administrator a peace of mind as it ensures that even if the users password is compromised the account cannot be accessed without also knowing not only the method used as the second factor but also having access to the second factor such as a dynamically generated one-time password (OTP) or biological token.
Two factor authentication is based on the user providing two of the following three “somethings”:
Learning the password or pin for an account is what most hackers go after. Accessing a physical token generator or getting biological features is harder and the reason why 2FA is effective in providing greater security for user accounts.
There are numerous ways to implement 2FA. They all have their pros and cons, but all significantly increase the security of user accounts when implemented. The key takeaway from all of the methods discussed below is that once the user has verified their username and password, they are required to enter a second password that is dynamically generated and constantly changing before they can access the system.
Companies often implement additional rules for when and how 2FA is used. The user may not need to use 2FA if they are within the company intranet or on a device they previously used 2FA to login. In other cases, the user may need to use 2FA every single time they authenticate. Auth0 supports these and other custom implementation rules to meet business needs.
Perhaps the most common method of implementing 2FA. This method sends the user a unique token via SMS text message, normally a 5-10 digit code, after they have successfully entered their username and password. The user then needs to provide this unique token before they are granted access.
Another fairly common method of two factor authentication. This method is very similar to the SMS method above but common implementations include having the user enter a 5-10 alpha-numeric token or clicking a link provided in the email. Dynamically generated one-time passwords are also used here.
This method is common in enterprise environments but can be used in any system. The way this method works is the user is given a physical device such a key fob, USB dongle or other device that dynamically generates a token for the user. These tokens are generally valid for only short periods of time, some as low as 30 seconds, and constantly change.
Software tokens require the user to download and install an application that runs on their computer or mobile device that dynamically generates tokens for the user. With the rise of smartphones – this method is gaining popularity. Software tokens work similarly to hardware tokens in that they are randomly generated and last a brief period of time before changing but developers can choose a number of different implementations to meet the business needs.
This method of 2FA calls the user once they have authenticated their username and password and provides them with the token. This is perhaps the most inconvenient method for the end-user but is a viable and common method of delivering dynamic tokens to the user.
This method of 2FA is unique and different from the others we mentioned so far. Biometric verification relies on the actual user being the token. A unique feature such as the users fingerprints or retina is used to verify that the user is who they say they are.
Implementing 2FA with Auth0 is easy and simple. You can implement 2FA with our Guardian app or with third-party 2FA providers. Out-of-the-box we provide two popular 2FA providers, Google Authenticator and Duo, which can be setup with minimal effort in just a few minutes.
Additionally, you can implement custom providers and rules to enhance and fine-tune the workflow for 2FA to meet the needs of your business. Let’s see how this process works with Guardian.
Implementing 2FA with Auth0 and Guardian can be done in as little as two steps.
Save your changes and 2FA with Guardian will be enabled for your app! The next time a user attempts to login they will be prompted to setup 2FA before gaining access to your app.
Adaptative Context-aware Multifactor allows you to enforce 2FA or additional layers of authentication based on different conditions such as: geographic location, time of day/week, type of network, custom domains, certain IPs or any arbitrary condition that can be expressed in code on the Auth0 platform.
By default 2FA is requested only once per month, but you can enforce it to be requested every time the user logs on, or even define your own rules to trigger 2FA.
You can define rules such as when accessing mission-critical applications from outside of your company’s intranet, when accessing from a different device or from a new location.