Despite the security industry’s best efforts to educate users about the weaknesses of password authentication, awareness remains frustratingly low. Keeper Security recently analyzed 10 million compromised accounts and found that just 25 passwords made up more than half of the list. Nearly 17 percent of users were guarding their accounts with the password “123456.”

The Two-Factor Tide Is Turning

Two-factor authentication (2FA) is an effective supplement to passwords. It adds a second layer of protection by requiring users to enter either something they know or something they have. You use 2FA whenever you withdraw money at an ATM, for example. Your personal identification number (PIN) is effectively the password and your bank card is the second form of authentication.

This is not the same as two-form authentication. The two-form technique uses a second login gate, such as a challenge question, to validate a user’s identity. It is the least effective form of two-factor security, although it’s better than nothing.

Two-factor authentication is widely used behind corporate firewalls, but public adoption has been slow. A Dropbox official told KrebsOnSecurity that less that 1 percent of the company’s customers had taken advantage of its 2FA option. Online services are often reluctant to introduce any inconvenience into the login process. Attitudes are beginning to change, however, largely due to recent, well-publicized thefts of large password files.

Four Forms of Two-Factor Authentication: Pros and Cons

There are several types of 2FA, each with its own strengths and weaknesses. Here’s a quick overview.

SMS Verification

SMS verification is the most popular form of 2FA. Large sites such as Google and Facebook support it, albeit on an opt-in basis. SMS verification uses a cellphone as a second authentication method. When a user logs in, a verification code is sent to his or her phone as an SMS message. The user then must type the code into the login screen to authenticate. Most systems also offer the option to receive a phone call with a spoken code.

  • Pro: The biggest advantage of SMS verification is simplicity. Nearly everyone has a cellphone and the process only takes a few seconds.
  • Con: SMS coverage isn’t universal, and if you can’t get a signal, you can’t get a text. Theft is also a risk, particularly if the victim has stored passwords in plaintext on the device. The thief then essentially has both factors in hand.

Authenticator Apps

An authenticator app also generates a unique code to use as a secondary password each time a user logs in. Unlike SMS verification, however, it does so directly from the device.

When you set up an account, a secret key, called a seed, is stored on the server and sent to your phone or tablet. When you log in, an algorithm spits out a unique code by combining the seed and date/time information. The code is good for a short period, usually 30 to 60 seconds. The same thing happens on the server. If the two codes match, you’re in.

Google Authenticator is the best-known app in this area, but there are many others. Some alternative authenticator apps are unique to certain host applications, while others offer additional bells and whistles such as local encryption.

  • Pro: Authenticator apps provide great protection. They are compatible with multiple host applications and don’t depend on cellular phone networks.
  • Con: For the same reasons as SMS verification, authenticator apps are at risk of data theft. Also, setting up the authenticator can be a bit complex for nontechnical users.

Physical Authentication

This method uses a physical token that either plugs into a USB port or generates a unique passcode to type into the login screen. This security measure is particularly popular with banks and other companies that deal with highly sensitive information.

  • Pro: This is the most secure form of 2FA. A cybercrook would need to steal the token and, even then, wouldn’t have access to the password.
  • Con: Hardware can be costly. If you lose or forget your key, you’re out of luck.


Biometric authentication is the only 2FA method that relies not on something you know, but something you are. Fingerprint scans, retina scans and voice recognition are three forms of biometric security.

  • Pro: In theory, this should be the most resilient form of 2FA. All other forms are vulnerable to compromise, if only because the second factor is information. It’s impossible for a thief to impersonate you directly.
  • Con: In reality, biometrics still has a long way to go before it can be considered a rock-solid security technique. Fraudsters can fool fingerprint readers with impressions made in modeling compounds. They can also circumvent facial recognition software and even iris and retina scans with high-quality video. The technology is improving, but it’s a bit early to go mainstream.

A Simple Way to Prevent a Password Breach

Any form of 2FA is better than none. Implementing any of the above techniques is good for you and everyone who logs in to your site or service because it reduces the risk of a giant password breach. For the best security, physical authentication is the way to go. However, implementing SMS security is cheap and reasonably straightforward.

If you want to know whether or not a website you use supports 2FA, Two Factor Auth is an invaluable resource.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…