This article was accepted into the corpus but its outbound wikilinks were never NER-processed — typical at the deepest BFS hop or when the run's entity cap was reached. No expansion funnel to show.
| Two-factor authentication | |
|---|---|
| Name | Two-factor authentication |
| Other names | 2FA, multi-factor authentication |
| Type | Security mechanism |
Two-factor authentication is an access control method requiring two different types of evidence to verify identity before granting access. It augments single-credential systems by combining distinct proof elements drawn from separate sources to reduce unauthorized access risks in contexts ranging from financial services to cloud platforms. Major technology vendors, standards bodies, and financial regulators have driven deployment across consumer services, enterprise networks, and critical infrastructure.
Two-factor authentication enhances protection for accounts by requiring two independent verifiers rather than a single secret, as practiced in systems deployed by Google, Microsoft, Apple Inc., Amazon (company), and large banks such as JPMorgan Chase and HSBC. Early commercial and academic work on multi-step identity verification influenced later products from RSA Security, Yubico, and Duo Security, while regulatory frameworks like Payment Card Industry Data Security Standard and directives from European Central Bank encouraged broader adoption. High-profile breaches at organizations such as Target Corporation and Equifax accelerated enterprise interest, and public-sector guidance from agencies including National Institute of Standards and Technology shaped risk-based recommendations.
Authentication factors are commonly categorized into three classes: something you know, something you have, and something you are, with examples used by providers like PayPal, Mastercard, and Visa. For something you know, historical and modern examples include passwords used at Yahoo! and passphrases advocated by Bruce Schneier; for something you have, hardware tokens from RSA Security and devices from Yubico and Google’s Titan program illustrate possession-based proofs; for something you are, biometric modalities such as fingerprint readers in Apple Inc. devices, facial recognition used by Facebook, and iris scanners studied by researchers at MIT and Stanford University. Many deployments also incorporate environmental or behavioral signals analyzed by platforms from Splunk and Okta.
Common implementations pair a primary credential with a secondary channel such as one-time passwords, push notifications, hardware tokens, or biometric checks used by services like Dropbox, Slack (software), Salesforce, and GitHub. One-time passcodes are generated using algorithms standardized by Internet Engineering Task Force specifications and implemented in apps like Google Authenticator and devices from Yubico; push-based approval flows are offered by vendors including Duo Security and Auth0; universal second factor devices comply with standards promoted by FIDO Alliance and are integrated into platforms from Microsoft and Intel. SMS-based codes, used historically by telecoms such as Verizon Communications and AT&T, remain common despite security concerns documented by researchers at Princeton University and University of Cambridge.
Two-factor authentication significantly reduces risk from credential stuffing, phishing, and password reuse incidents affecting platforms like LinkedIn, Adobe Systems, and Dropbox, and has been recommended by NIST and privacy advocates such as Electronic Frontier Foundation. However, certain second factors are vulnerable: SMS interception and SIM swap attacks targeting subscribers of carriers like T-Mobile US and Vodafone Group have compromised accounts; malware and session-hijacking techniques observed in incidents at Sony Pictures Entertainment illustrate end-point risks; biometric spoofing demonstrated by research teams at Cambridge University and University of Michigan highlights limits of fingerprint and face modalities. Usability trade-offs and recovery processes can introduce social-engineering vectors exploited in breaches involving organizations like Twitter.
Standards underpinning implementations include time-based one-time password algorithms formalized by the Internet Engineering Task Force and adopted in RFCs referenced by vendors including Microsoft and Google. Public-key-based approaches advanced by the FIDO Alliance, with specifications implemented by Yubico, Google, and Apple Inc., aim to eliminate shared secrets. Protocols integrating multi-factor checks into federated identity include SAML (Security Assertion Markup Language) used by enterprises, OAuth 2.0 flows leveraged by platforms like Facebook and GitHub, and OpenID Connect deployments supported by Okta and Auth0.
Adoption varies across sectors: financial institutions such as Bank of America and Wells Fargo and government services in countries like United Kingdom and Estonia have strong mandates, while consumer services from Twitter and Instagram show voluntary opt-in models promoted by security teams at Google and Microsoft. Usability research conducted at Carnegie Mellon University and Stanford University evaluates friction, accessibility, and fallback procedures; enterprise identity providers including Ping Identity and OneLogin offer single sign-on integrations to reduce repeated prompts. Push-based and device-bound methods generally yield higher user acceptance reported by studies at Nielsen Norman Group.
Adversaries exploit weaknesses in implementations via SIM swapping coordinated against subscribers of carriers like Sprint Corporation and AT&T, phishing kits targeted at users of services such as Gmail and Dropbox, and man-in-the-middle frameworks used in compromises of organizations like RSA Security and Sony. Advanced persistent threats associated with state-level actors traced to groups linked by researchers at Mandiant and Kaspersky Lab use credential theft combined with session replay and browser-based token theft. Mitigations promoted by industry and standards bodies including NIST, FIDO Alliance, and incident response teams at CISA emphasize phishing-resistant authenticators, hardware-backed keys from Yubico and Google’s Titan, and robust recovery procedures.
Category:Computer security