Two-factor authentication (2FA) – or two-step verification – is a method of identity control in which a user has to present two separate pieces of evidence to verify their identity. When used for logins, this makes it much harder for unauthorized people to get access to devices and digital services than when just one factor, typically a password, is used.
A lot of different things can be used as pieces of evidence (authentication factors), and the factors are usually divided into the following three main categories:
- Knowledge factors. Something the user knows, such as a password, PIN code or shared secret.
- Possession factors. Something the user has, such as a smartphone, smart card or one-time password (OTP) security token.
- Inherence factors (biometrics). Something the user is, such as a fingerprint, voice or face.
Two-factor authentication can be made up of any combination of factors, for example, smartphone and fingerprint, or PIN code and smart card.
Passwordless 2FA is when neither of the two factors is a password. Examples of products and services enabling 2FA without passwords are:
- The software-based security gateway Nexus Hybrid Access Gateway and the mobile app Nexus Personal Mobile, which let the users authenticate using an app on their smartphone and their fingerprint.
- The cloud service Nexus GO Authentication with Swedish mobile BankID, which let the users authenticate using an app on their smartphone and their fingerprint.
2FA methods where one of the factors are a password or a PIN are also a lot more secure than authentication with only a static password and username. Examples of products enabling 2FA with passwords or PINs are:
- Nexus Hybrid Access Gateway, smart cards readers and smart cards, which let the users authenticate by inserting a smart card in a smart card reader and entering their PIN.
- Nexus Hybrid Access Gateway and a one-time password (OTP) security token, which let the users authenticate by entering a static password and an OTP.
2FA methods should ideally be used together with single-sign on (SSO), which means that a user logs in once to get access to a range of independent systems. SSO is especially recommended when using 2FA methods including OTPs, since it is inconvenient for the user to enter a new OTP for every single service.