January 30, 2017 By Paul Gillin 3 min read

Despite the security industry’s best efforts to educate users about the weaknesses of password authentication, awareness remains frustratingly low. Keeper Security recently analyzed 10 million compromised accounts and found that just 25 passwords made up more than half of the list. Nearly 17 percent of users were guarding their accounts with the password “123456.”

The Two-Factor Tide Is Turning

Two-factor authentication (2FA) is an effective supplement to passwords. It adds a second layer of protection by requiring users to enter either something they know or something they have. You use 2FA whenever you withdraw money at an ATM, for example. Your personal identification number (PIN) is effectively the password and your bank card is the second form of authentication.

This is not the same as two-form authentication. The two-form technique uses a second login gate, such as a challenge question, to validate a user’s identity. It is the least effective form of two-factor security, although it’s better than nothing.

Two-factor authentication is widely used behind corporate firewalls, but public adoption has been slow. A Dropbox official told KrebsOnSecurity that less that 1 percent of the company’s customers had taken advantage of its 2FA option. Online services are often reluctant to introduce any inconvenience into the login process. Attitudes are beginning to change, however, largely due to recent, well-publicized thefts of large password files.

Four Forms of Two-Factor Authentication: Pros and Cons

There are several types of 2FA, each with its own strengths and weaknesses. Here’s a quick overview.

SMS Verification

SMS verification is the most popular form of 2FA. Large sites such as Google and Facebook support it, albeit on an opt-in basis. SMS verification uses a cellphone as a second authentication method. When a user logs in, a verification code is sent to his or her phone as an SMS message. The user then must type the code into the login screen to authenticate. Most systems also offer the option to receive a phone call with a spoken code.

  • Pro: The biggest advantage of SMS verification is simplicity. Nearly everyone has a cellphone and the process only takes a few seconds.
  • Con: SMS coverage isn’t universal, and if you can’t get a signal, you can’t get a text. Theft is also a risk, particularly if the victim has stored passwords in plaintext on the device. The thief then essentially has both factors in hand.

Authenticator Apps

An authenticator app also generates a unique code to use as a secondary password each time a user logs in. Unlike SMS verification, however, it does so directly from the device.

When you set up an account, a secret key, called a seed, is stored on the server and sent to your phone or tablet. When you log in, an algorithm spits out a unique code by combining the seed and date/time information. The code is good for a short period, usually 30 to 60 seconds. The same thing happens on the server. If the two codes match, you’re in.

Google Authenticator is the best-known app in this area, but there are many others. Some alternative authenticator apps are unique to certain host applications, while others offer additional bells and whistles such as local encryption.

  • Pro: Authenticator apps provide great protection. They are compatible with multiple host applications and don’t depend on cellular phone networks.
  • Con: For the same reasons as SMS verification, authenticator apps are at risk of data theft. Also, setting up the authenticator can be a bit complex for nontechnical users.

Physical Authentication

This method uses a physical token that either plugs into a USB port or generates a unique passcode to type into the login screen. This security measure is particularly popular with banks and other companies that deal with highly sensitive information.

  • Pro: This is the most secure form of 2FA. A cybercrook would need to steal the token and, even then, wouldn’t have access to the password.
  • Con: Hardware can be costly. If you lose or forget your key, you’re out of luck.


Biometric authentication is the only 2FA method that relies not on something you know, but something you are. Fingerprint scans, retina scans and voice recognition are three forms of biometric security.

  • Pro: In theory, this should be the most resilient form of 2FA. All other forms are vulnerable to compromise, if only because the second factor is information. It’s impossible for a thief to impersonate you directly.
  • Con: In reality, biometrics still has a long way to go before it can be considered a rock-solid security technique. Fraudsters can fool fingerprint readers with impressions made in modeling compounds. They can also circumvent facial recognition software and even iris and retina scans with high-quality video. The technology is improving, but it’s a bit early to go mainstream.

A Simple Way to Prevent a Password Breach

Any form of 2FA is better than none. Implementing any of the above techniques is good for you and everyone who logs in to your site or service because it reduces the risk of a giant password breach. For the best security, physical authentication is the way to go. However, implementing SMS security is cheap and reasonably straightforward.

If you want to know whether or not a website you use supports 2FA, Two Factor Auth is an invaluable resource.

More from Identity & Access

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today