Two‑Factor Authentication (2FA)
Home /
Glossary Index /
Alphabet T
What is Two‑Factor Authentication?
Two‑Factor Authentication (2FA) requires users to provide two separate authentication factors before gaining access to a system. The factors must span across these distinct categories:
- 1. Something you know: A password, PIN, or passphrase.
- 2. Something you have: A mobile phone, hardware token, or smart card.
- 3. Something you are: Biometrics like fingerprints or facial recognition.
Types of 2FA (Ranked by Security Level)
|
Method |
How It Works |
Security Level |
Risk Profile |
|
SMS Text |
Code sent via carrier network |
🔴 Low |
Highly vulnerable to SIM swapping and interception. |
|
Email Codes |
Code sent to email inbox |
🔴 Low |
Vulnerable if email account itself is compromised. |
|
TOTP Apps |
Time-based code (Google Auth) |
🟡 Medium |
Safe from SIM swaps, but vulnerable to proxy phishing. |
|
Push Notes |
Approve via prompt on device |
🟡 Medium |
Vulnerable to user “MFA fatigue” approval spam. |
|
Hardware Keys |
FIDO2 Physical key (YubiKey) |
🟢 High |
Cryptographically phishing-resistant. |
NIST Deprecates SMS 2FA
The National Institute of Standards and Technology (NIST) has officially deprecated SMS for two‑factor authentication. Due to the high frequency of SIM-swapping attacks and network interception, text-based codes are no longer considered acceptable for enterprise defense.