*This post was updated in May 22.
How does two-factor authentication work?
Two-factor authentication, also commonly referred to as two-step verification, requires an online account holder to present two separate passwords before being allowed to log in to their account.
The first password is the user’s primary account password. The second password is sent to a separate location—typically a mobile device—as a unique, time-sensitive security token that expires in a pre-defined period of time (e.g., 10 minutes).
This second password is known in the industry as a one-time password (OTP), and is often sent via SMS or IP to the user’s personal mobile device.
If online users had had two-step authentication on their accounts, an attacker would have needed both their primary password as well as their temporary, one-time-use password before it expired to gain access to users’ personal information.
Benefits of two-factor authentication
With two-factor authentication in place, even if an Internet attacker has stolen a user’s online account password by exploiting a vulnerability such as the Heartbleed bug, they cannot log in without also having that one-time password, which is sent to the mobile user’s phone.
Benefits of 2FA are::
- Lower probability of an Internet attacker gaining access to an account, resulting in fewer security breaches
- Lower total costs of disruption
- An additional protection option that can be advertised to account holders; having this option available reduces the reputation risk following a security breach
As the Heartbleed bug demonstrated, any breach to consumer account security—especially involving a consumer’s sensitive or private data—can result in significant costs and reputation damage for the company.
In the next post in this series, we’ll discuss best practices for implementing two-factor authentication at the enterprise level. Want a more in-depth discussion? Read the full whitepaper.