Two factor authentication is an account security measure you can find across the internet. But how does two factor authentication work? We’ll break down how 2FA works and provide examples of real-world 2FA applications

 What is 2FA and how does two factor authentication work? Two factor authentication (2FA) is a type of multi-factor authentication — a verification security process that makes accounts more secure. It’s thought to offer greater security than using traditional passwords alone.

The concept of two factor authentication rests on the idea that you need to provide two identifying factors to prove your identity to gain access to your account. This helps to prevent unauthorized users from accessing your sensitive information or secure resources. There are three traditional authentication factor categories that authentication processes can use to verify identity:

  • Something you know — a secret identifier such as a password or a one-time PIN (OTP).
  • Something you have — a physical identifier through possession of something tangible (such as a mobile device with an authentication app, common access card (CAC), security fob or token).
  • Something you are – physical identifiers of your biological form such as fingerprints, facial scans and other biometrics.

This verification method helps you demonstrate that you’re really you and aren’t an imposter who is trying to gain unauthorized access to the account. In 2004, Bill Gates said passwords were dead, predicting smart cards and 64-bit computing as the future of IT. Now in 2021, we see that Gates didn’t quite hit the nail on the head. Passwords aren’t quite dead — they’ve just evolved into longer, more secure passphrases.  The FBI recommends the use of secure passphrases instead of traditional passwords.

So, now that we know what two factor authentication is, let’s jump right into answering the question “how does two factor authentication work?”

How Does Two Factor Authentication Work?

As the first step in understanding how two factor authentication works, let’s look at a graphical representation of the concept:

A diagram that demonstrates how two factor authentication works
A basic illustration that answers the question “how does two factor authentication work?”

The above figure illustrates the factors considered for the 2FA and where they come into play during the authentication process.

The concept of two factor authentication rests on the fact that you need more than just the traditional username and password combination to access your account. Why? Traditional passwords aren’t perfect and leave more to be desired where security is concerned. Many users rely on passwords that are easy to guess (brute force) or crack using other password cracking methods.

Kaspersky, the Russian cyber security giant, observed a 242% increase in remote desktop protocol (RDP) brute force attacks with numbers reaching 3.3 billion in 2020. The attackers typically tried to brute force username-password combinations during these attacks to force their way into these accounts. 

The use of weak or recycled passwords is such a big issue that some 2FA systems may not even require the use of a password at all to avoid this issue and may rely on one of the other two factor categories instead.

But all that aside, let’s get back to explaining how 2FA works. We’ll let’s continue with the example of 2FA that uses a password as the first factor (for the sake of ease). Once you have entered the username and password, you’re expected to prove your identity through an additional verification method to prove that you (not someone else) entered your password. A few examples of how you can do this include:

  • Signing into an authenticator app on your phone such as Google Authenticator.
  • Plugging in a security token such as a Yubi key.
  • Enabling the device to scan your face, fingerprint, or another biometric factor.

How 2FA Protects Against Stolen Passwords & Devices

The idea here is that to authenticate successfully, you must provide all of the necessary identifying factors within a specified amount of time. If you don’t provide both identifiers (such as a password and an authentication app code, or an authentication app code and a fingerprint scan), then the authentication process fails.  

This means that even if your password gets exposed in a data breach or leak, or if someone steals it through phishing, they can’t access your account without having access to that other identifying factor. This means they’re need to be in possession of your biometrics or have access to your physical device (such as your phone with the authenticator app or a security token). They can’t just use one identifier or the other to gain access to your account — they require access to both.

Check out this great video by Computerphile that helps to answer the question “how does 2 factor authentication work?” in a more technical sense:

Breaking Down the Three 2FA Authentication Factor Categories

Let’s explore each of the three authentication factor categories a bit more in depth.

Knowledge Factor (Something You Know)

How does two factor authentication work? An illustrative graphic of a padlock with a knowledge factor illustrated as cogwheels in someone's brain stamped on a padlock

The first factor for authentication is the knowledge factor. The knowledge factor includes something you know or some secret such as:

  • A password or passphrase,
  • The answer to a secret question,
  • A personal identification number (PIN), or
  • An SMS-based one-time password (OTP).

To furnish the username and a password is essentially considered one factor as both belong in the same category — knowledge. Contrary to popular belief, an SMS-based OTP is an example of a knowledge factor because it doesn’t require physical access to a mobile device. (SMS text messages can be intercepted and aren’t as secure as you might think.)

Basically, the knowledge factor is the most basic way to prove your identity since you’re the only one who should be privy to your secret information. It authorizes you to interact with the system. As opposed to single factor authentication (SFA), where this information would be enough to give you access, 2FA mandates the authentication of a second factor. This provides your identity to the system.

As shown in the above figure, if you fail to input the correct combination of username and password within the limited number of attempts allowed by the system, the system will lock you out until you can verify that it’s you who is trying to gain access.

Possession Factor (Something You Have)

How does 2 factor authentication work? An illustrative graphic of a padlock with a possession factor (something-you-have factor) that's illustrated as a handling holding a physical device stamped on a padlock

Possession is a second category of authentication factors and includes something you physically have such as a piece of security hardware or a mobile app installed on your phone.  This factor can be used as a second factor in combination with either a knowledge factor (such as a password) or an inherence factor (such as a Face ID). The use of the possession factor in authentication improves your account security.

Let’s look at some of the possession identifiers that can serve as a second authentication factor:

  • RSA tokens,
  • USB drives,
  • Mobile authenticator apps,
  • Mobile devices’ integrated security keys,
  • Chipped credit or debit cards,
  • Common access cards (CACs), and
  • Key fobs.

In some ways, using a physical token is like using a traditional lock and key. A lock won’t open until and unless you insert and turn the correct key for that lock. In much the same way, the possession factor works on the same principle for 2FA because you need to have access to the device or software installed on it.

A common example of how you might use two factor authentication in your everyday life can be found inside your wallet. When you use your debit card at an ATM, you must prove that you have possession of the card by inserting the card’s chip into the machine, and then you’ll need to prove your knowledge by entering your PIN. If the card or the PIN you enter doesn’t match the account, the ATM can reject the verification and lock the person out or destroy the card after a certain number of failed access attempts.

Inherence Factor (Something You Are)

How does 2 factor authentication work? An illustrative graphic of a padlock with an inheritance factor illustrated as a fingerprint that's stamped on a padlock

Inherence is something you are, meaning something that’s inherently yours and can’t belong to someone else (such as a fingerprint). Typically, biometrics is used as an inherence factor for authentication. Different types of biometrics are commonly used as inherence factors because they’re highly unique and hard to fake.

Some examples of inherence factors used in 2FA security include:

  • Facial ID information,
  • Fingerprint scans,
  • Iris scans,
  • Palm scans,
  • Retina scans,
  • DNA scans, and
  • Voice patterns.

Biometrics can be used as a stand-alone SFA identifier or as an additional factor for 2FA or MFA. It’s commonly viewed as being one of the most secure authentication factors. You might be able to unlock your identical twin’s phone with your own facial scan, but you won’t be able to pass a fingerprint scan because everyone — including genetically identical twins — has unique fingerprints.

How Time & Location Can Play a Role in Two Factor Authentication

Many multi-factor and two factor authentication technologies use time and location as additional security measures on the backend. For example, you might be required to enter your second identifying factor in the authentication process within a stipulated amount of time (30 seconds, three minutes, etc.). If the user is unable to provide the second factor of authentication within that timeframe, they’ll have to repeat the process.

While this process might seem cumbersome to some users, it’s a necessary step for the security of your account or device.

Additionally, your devices are tracked by the GPS system or the location of the IP address. If the password is entered from a totally different location, then a notification is sent to the user for the confirmation of his location. If the user verifies that he is not trying to access his account from that location, then the system is locked for that attempted sign-in.

The third check is the device itself. If the sign-in is occurring via a new or unknown device, then the user may receive a notification on the device that’s registered with the account. If a legitimate user is trying to access his account from a new device, he can continue; otherwise, the sign-in fails. This way, the user’s account is secure from an attempted attacker.

The fourth check is the number of times any user is allowed to input the password or the OTP. If the user makes typing error once or twice, they may be able to input their details a third time but will likely be blocked from any additional attempts for a set period. Limiting the number of times a user can type in their details aims to protect the user’s account from brute force attacks.

The above technicalities are designed to enhance the security of the system. These authentication factors used in conjunction with these technical verification measures help secure your device and your system more effectively than traditional passwords alone. This is why many companies are rooting for 2FA or MFA. Even the security experts including Kaspersky and McAfee recommends the use of 2FA or MFA for adding extra layers of security to your system.  

Why 2FA Is a Necessary Consideration

FBI IC3 recorded $4.2 billion loss in 2020 compared to $3.5 billion in 2019 (a 20% increase) in the United States. The loss was due to 791,790 complaints in 2020 and 467,361 complaints in 2019. These figures signify the increasing importance of cyber security. We will be able to prevent cyber attacks only by beefing up our defenses against the bad guys. Our first line of defense is the security we use to limit access to our systems and accounts.

Traditional passwords on their own are insufficient for account protection. Even if your password that’s eight digits long and is a combination of numbers and upper and lower case letters, the password will take only about one hour to crack. The time reduces to just one minute if it is seven digits long. It is scary how vulnerable we are online.

Two factor authentication or other MFA methods help to secure your systems more holistically by requiring different identity factors for access. Let’s look at two of the most convincing reasons for the implementation of 2FA.

1. You Need to Prevent Unauthorized Access to Your Accounts

The FBI IC3 2020 Report shows 241,342 reports of phishing and 45,330 reports of personal data breaches in 2020. Both types of crimes involve unauthorized access to the victims’ accounts. Looking at the high numbers, it’s obvious why employing more robust security measures to reduce the number of successful account breaches is necessary.

How does two factor authentication work to prevent unauthorized access to your accounts? To recap, 2FA is a form of multi-factor authentication that adds extra layers of security to your account. Even if your password is compromised, an attacker won’t be able to access your account without having the required secondary identification factor, thereby preventing the attack.

CyberNews reports that cybercriminals leaked a massive collection of 8.4 billion passwords dubbed “RockYou2021.” The poster says that the passwords contained within the document range from six to 20 characters in length, contain no spaces, and use non-ASCII characters. This is not an isolated incident. Similar password leaks and breaches are becoming more commonplace. With this in mind, it’s advisable to enable 2FA on your accounts as a minimum to prevent losses.

2. You Want to Receive Notifications as an Account Holder About Failed Login Attempts

Once you turn on 2FA or MFA, you will receive a notification on your registered email regarding the following issues:

  • If you (or a hacker is) tries to log in to your account from a location that’s different than the current location of your registered device.
  • If you attempt to log in to your account for the first time on a new device or a hacker tries to access your account from another unknown device.
  • Too many failed verification attempts — this way, you’re aware and can take action by changing your account password.

When you receive the email notification, you can ignore it if you’re the one trying to access your account. However, if it’s not you who is trying to log in at that moment, you can do as directed in the email. (Note: Just be sure to double-check and verify the email itself is legitimate and isn’t a phishing attempt.) You’ll likely be asked to change your password to something that offers greater security.

Taking preemptive measures to protect your account is much better than facing the consequences of a breach. A breach can cost you dearly in terms of financial losses, lost business, and reputational damages. You can curb the chances of being a cybercrime victim by enabling 2FA or MFA in your security settings.

How Does Two Factor Authentication Work? Some Final Thoughts

To quickly recap: two factor authentication is carried out by combining the strength of two authentication factors (such as a password and a biometric scan). Some of these authentication factors rely on apps while others rely on insecure methods such as SMS text messages. The goal of combining these different factors is to create more secure identity verification and account security than single factor authentication methods.

The greatest hesitation to pursue a new path is often the fear of the unknown. Now you know all about how two factor authentication works, so it’s no longer something that’s unknown to you. We hope this article has helped you better understand how two factor authentication works and adds a layer of security to your password-protected account. This way, you can make an informed decision about what security methods to use to better secure and protect your accounts and devices.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.