Despite the security industry’s best efforts to educate users about the weaknesses of password authentication, awareness remains frustratingly low. Keeper Security recently analyzed 10 million compromised accounts and found that just 25 passwords made up more than half of the list. Nearly 17 percent of users were guarding their accounts with the password “123456.”

The Two-Factor Tide Is Turning

Two-factor authentication (2FA) is an effective supplement to passwords. It adds a second layer of protection by requiring users to enter either something they know or something they have. You use 2FA whenever you withdraw money at an ATM, for example. Your personal identification number (PIN) is effectively the password and your bank card is the second form of authentication.

This is not the same as two-form authentication. The two-form technique uses a second login gate, such as a challenge question, to validate a user’s identity. It is the least effective form of two-factor security, although it’s better than nothing.

Two-factor authentication is widely used behind corporate firewalls, but public adoption has been slow. A Dropbox official told KrebsOnSecurity that less that 1 percent of the company’s customers had taken advantage of its 2FA option. Online services are often reluctant to introduce any inconvenience into the login process. Attitudes are beginning to change, however, largely due to recent, well-publicized thefts of large password files.

Four Forms of Two-Factor Authentication: Pros and Cons

There are several types of 2FA, each with its own strengths and weaknesses. Here’s a quick overview.

SMS Verification

SMS verification is the most popular form of 2FA. Large sites such as Google and Facebook support it, albeit on an opt-in basis. SMS verification uses a cellphone as a second authentication method. When a user logs in, a verification code is sent to his or her phone as an SMS message. The user then must type the code into the login screen to authenticate. Most systems also offer the option to receive a phone call with a spoken code.

  • Pro: The biggest advantage of SMS verification is simplicity. Nearly everyone has a cellphone and the process only takes a few seconds.
  • Con: SMS coverage isn’t universal, and if you can’t get a signal, you can’t get a text. Theft is also a risk, particularly if the victim has stored passwords in plaintext on the device. The thief then essentially has both factors in hand.

Authenticator Apps

An authenticator app also generates a unique code to use as a secondary password each time a user logs in. Unlike SMS verification, however, it does so directly from the device.

When you set up an account, a secret key, called a seed, is stored on the server and sent to your phone or tablet. When you log in, an algorithm spits out a unique code by combining the seed and date/time information. The code is good for a short period, usually 30 to 60 seconds. The same thing happens on the server. If the two codes match, you’re in.

Google Authenticator is the best-known app in this area, but there are many others. Some alternative authenticator apps are unique to certain host applications, while others offer additional bells and whistles such as local encryption.

  • Pro: Authenticator apps provide great protection. They are compatible with multiple host applications and don’t depend on cellular phone networks.
  • Con: For the same reasons as SMS verification, authenticator apps are at risk of data theft. Also, setting up the authenticator can be a bit complex for nontechnical users.

Physical Authentication

This method uses a physical token that either plugs into a USB port or generates a unique passcode to type into the login screen. This security measure is particularly popular with banks and other companies that deal with highly sensitive information.

  • Pro: This is the most secure form of 2FA. A cybercrook would need to steal the token and, even then, wouldn’t have access to the password.
  • Con: Hardware can be costly. If you lose or forget your key, you’re out of luck.


Biometric authentication is the only 2FA method that relies not on something you know, but something you are. Fingerprint scans, retina scans and voice recognition are three forms of biometric security.

  • Pro: In theory, this should be the most resilient form of 2FA. All other forms are vulnerable to compromise, if only because the second factor is information. It’s impossible for a thief to impersonate you directly.
  • Con: In reality, biometrics still has a long way to go before it can be considered a rock-solid security technique. Fraudsters can fool fingerprint readers with impressions made in modeling compounds. They can also circumvent facial recognition software and even iris and retina scans with high-quality video. The technology is improving, but it’s a bit early to go mainstream.

A Simple Way to Prevent a Password Breach

Any form of 2FA is better than none. Implementing any of the above techniques is good for you and everyone who logs in to your site or service because it reduces the risk of a giant password breach. For the best security, physical authentication is the way to go. However, implementing SMS security is cheap and reasonably straightforward.

If you want to know whether or not a website you use supports 2FA, Two Factor Auth is an invaluable resource.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…