January 30, 2017 By Paul Gillin 3 min read

Despite the security industry’s best efforts to educate users about the weaknesses of password authentication, awareness remains frustratingly low. Keeper Security recently analyzed 10 million compromised accounts and found that just 25 passwords made up more than half of the list. Nearly 17 percent of users were guarding their accounts with the password “123456.”

The Two-Factor Tide Is Turning

Two-factor authentication (2FA) is an effective supplement to passwords. It adds a second layer of protection by requiring users to enter either something they know or something they have. You use 2FA whenever you withdraw money at an ATM, for example. Your personal identification number (PIN) is effectively the password and your bank card is the second form of authentication.

This is not the same as two-form authentication. The two-form technique uses a second login gate, such as a challenge question, to validate a user’s identity. It is the least effective form of two-factor security, although it’s better than nothing.

Two-factor authentication is widely used behind corporate firewalls, but public adoption has been slow. A Dropbox official told KrebsOnSecurity that less that 1 percent of the company’s customers had taken advantage of its 2FA option. Online services are often reluctant to introduce any inconvenience into the login process. Attitudes are beginning to change, however, largely due to recent, well-publicized thefts of large password files.

Four Forms of Two-Factor Authentication: Pros and Cons

There are several types of 2FA, each with its own strengths and weaknesses. Here’s a quick overview.

SMS Verification

SMS verification is the most popular form of 2FA. Large sites such as Google and Facebook support it, albeit on an opt-in basis. SMS verification uses a cellphone as a second authentication method. When a user logs in, a verification code is sent to his or her phone as an SMS message. The user then must type the code into the login screen to authenticate. Most systems also offer the option to receive a phone call with a spoken code.

  • Pro: The biggest advantage of SMS verification is simplicity. Nearly everyone has a cellphone and the process only takes a few seconds.
  • Con: SMS coverage isn’t universal, and if you can’t get a signal, you can’t get a text. Theft is also a risk, particularly if the victim has stored passwords in plaintext on the device. The thief then essentially has both factors in hand.

Authenticator Apps

An authenticator app also generates a unique code to use as a secondary password each time a user logs in. Unlike SMS verification, however, it does so directly from the device.

When you set up an account, a secret key, called a seed, is stored on the server and sent to your phone or tablet. When you log in, an algorithm spits out a unique code by combining the seed and date/time information. The code is good for a short period, usually 30 to 60 seconds. The same thing happens on the server. If the two codes match, you’re in.

Google Authenticator is the best-known app in this area, but there are many others. Some alternative authenticator apps are unique to certain host applications, while others offer additional bells and whistles such as local encryption.

  • Pro: Authenticator apps provide great protection. They are compatible with multiple host applications and don’t depend on cellular phone networks.
  • Con: For the same reasons as SMS verification, authenticator apps are at risk of data theft. Also, setting up the authenticator can be a bit complex for nontechnical users.

Physical Authentication

This method uses a physical token that either plugs into a USB port or generates a unique passcode to type into the login screen. This security measure is particularly popular with banks and other companies that deal with highly sensitive information.

  • Pro: This is the most secure form of 2FA. A cybercrook would need to steal the token and, even then, wouldn’t have access to the password.
  • Con: Hardware can be costly. If you lose or forget your key, you’re out of luck.


Biometric authentication is the only 2FA method that relies not on something you know, but something you are. Fingerprint scans, retina scans and voice recognition are three forms of biometric security.

  • Pro: In theory, this should be the most resilient form of 2FA. All other forms are vulnerable to compromise, if only because the second factor is information. It’s impossible for a thief to impersonate you directly.
  • Con: In reality, biometrics still has a long way to go before it can be considered a rock-solid security technique. Fraudsters can fool fingerprint readers with impressions made in modeling compounds. They can also circumvent facial recognition software and even iris and retina scans with high-quality video. The technology is improving, but it’s a bit early to go mainstream.

A Simple Way to Prevent a Password Breach

Any form of 2FA is better than none. Implementing any of the above techniques is good for you and everyone who logs in to your site or service because it reduces the risk of a giant password breach. For the best security, physical authentication is the way to go. However, implementing SMS security is cheap and reasonably straightforward.

If you want to know whether or not a website you use supports 2FA, Two Factor Auth is an invaluable resource.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today