IBM reports that one-in-five (20%) malicious data breaches in 2020 stemmed from stolen or lost credentials. The total cost associated with compromised credentials? A whopping $4.37 million. This number illustrates how vulnerable passwords are and why we need two factor authentication for our accounts.

What is two factor authentication? Two factor authentication, or 2FA, is regarded as safer authentication method than using passwords alone. As such, companies are increasingly following the fad of encouraging users to enable 2FA. But is this move just a fad or a move toward better security?

  • Instagram: likely to launch 2FA in collaboration with WhatsApp.
  • Call Of Duty offers double battle pass XP for the players who enable two factor authentication for their Activision account.
  • Fitbit rolls out 2FA in Android and iOS versions to increase the security of its users.
  • Fortnite has also rolled out brownie points in the form of emote if you turn on 2FA on the popular game.

Companies fear that intruders will steal and leak the usernames and passwords, so they turn to two-factor authentication as a way to increase their security. They provide incentives to the customers to encourage them to turn on 2FA. Some companies provide two factor authentication, while some provide two-step verification (like Google). Although many people use both terms interchangeably, they’re different processes.

But what is two factor authentication and how does it work? We’ll start with a two factor authentication definition before moving on to look at how it works, how it benefits your security, and why companies should encourage their employees and other users to enable it.

What Is Two Factor Authentication? A 2FA Definition

Two factor authentication, also known as 2FA or dual-factor authentication, is a layered approach to security that requires verifying two separate authentication factors to confirm (i.e., authenticate) an individual’s identity.

But what is a “factor?” Typically, security authentication factors that are verified before giving access to anyone are divided into three common categories:

  1. Something you know (aka knowledge factors) — examples include pieces of information you know like passwords, passphrases, or one-time PINs (OTPs),
  2. Something you have (aka possession factors) — examples include physical items like RSA tokens or smartcards, or
  3. Something you are (aka inherent factors) — example include identifying biometrics such as voice or facial recognition scans, fingerprints, or iris scans.

Does this two factor authentication description sound a bit similar to multi factor authentication? It should — and for a good reason. Two factor authentication is a type of multi factor authentication.

Two factor authentication provides an elevated level of security to the user than a password-protected account. 2FA verifies that the person trying to access the account knew the password and ensures it is a legitimate person who is using that password. Thus, 2FA is a method to keep out the bad guys even if they steal your password.

How Does Two Factor Authentication Work?

Two factor authentication adds another layer of security to the authentication process to prove users are who they claim to be. This requires users to fork over another identifying piece of data they receive access to a secure account or resource. If they can’t produce that information or provide that data, then they’re out of luck and are denied access.

So, how does all of this work? As a first factor, a user must enter the username and password. The second factor is a secondary piece of information that falls within the three categories we mentioned earlier (something you know, have or are). Users can only access the account after both forms of identification authenticates the individual.

The following figure is a visual representation of how two factor authentication works:

What is two factor authentication (2FA)? This graphic is a diagram that breaks down how two factor authentication works.
A basic diagram that illustrates how two factor authentication works.

Remember how we mentioned earlier that 2FA is a type of multi-factor authentication? Sometimes, multi-factor authentication involves verification of more than two factors to grant access to a user. Companies opt for multi-factor authentication when they want to provide increased security.

Did you know that behaviors can also be considered as a way of identifying people? MFA technologies use behavioral assessments as part of their identity verification. In essence, behavioral biometric authentication verifies the identity of the person based on the behavior they display while they operate their devices. Examples of these measurements include seemingly minute factors, including:

  • Pressure on placed on the mouse or keyboard,
  • Typing speed, or
  • Mouse pad usage techniques.

Companies can monitor these traits and single out a person if they don’t match them to secure the account. However, this level of security is seldom needed by a small business. So, let’s focus on two factor authentication at the moment.

Why Two Factor Authentication Is Important

Data source: The 2020 State of Password and Authentication Security Behaviors Report by the Ponemon Institute and Yubico.

Although cyber threats are beyond geographical boundaries, Malwarebytes reports that North America had the highest share of malware (34%) in 2020. In 2019, Google released a study of the passwords used by Americans that is hilarious in some ways (and troubling in many others). The study gave out the following facts:

  • 57% of the Americans shared their passwords with their significant others. But, guess what, only 11% of them changed their passwords after a breakup! (Oh, boy. All the best to you if your ex plans to take revenge!)
  • 40% of Americans say their personal information has been compromised online. 47% have also lost money. Still, 55% of these victims have not changed their passwords following a data breach. (Maybe they’re gluttons for punishment…)
  • 24% of Americans use common passwords. Nearly one-in-four Americans use weak passwords like abc123, password, 123456, or Iloveyou! (No wonder USwitch reports the United States ranks numero uno on the list of countries affected by data theft.)
  • Hawaiians love to share! More than half the population of Hawaii had an active password of somebody else’s account. (Please share a pinā colada, not your password!)
  • People love to use loved ones’ names. Personal names may feel secure, but they’re not:
  • 33% of respondents use their pet names as passwords,
  • 22% use their own names, and 15% use their partners’ names, and
  • 14% use their children’s names as passwords. (It looks like pets are twice more lovable than the partners.)

All joking aside, these figures are really concerning. Unfortunately, not everyone takes cyber security as seriously as they should. But what if you were to apply the mindset of concerns to, say, car buying?

Employees Are In the Driver’s Seat When It Comes to Password Security

When you buy a car, you look at all the safety features, including airbags, types of brakes, panic braking signals, and collision prevention. But the one thing people frequently neglect is the one thing that protects us best in many accident situations — a seat belt. Data from the Insurance Institute for Highway Safety (IIHS) shows that 42% of the people who died in car accidents didn’t have their seat belts on.

Practicing strong password security is much like wearing a seat belt and following driver safety best practices:

  • Choosing to protect your password’s security is your responsibility.
  • Using a secure password doesn’t cost you anything.
  • Creating a strong password and following password security best practices is your first defense in case of a mishap.
  • Following them, though often required by company security policies, is something employees often choose to ignore or neglect to do.

A strong password can be a difference between secure and insecure accounts. IBM reports data breaches involving took longest to remediate — their data shows it took businesses 341 days to identify and contain the breach when the initial vector was compromised credentials.

Cybercriminals have found a way to hack into your systems and steal your passwords. They also leak your password on the darknet to any interested party. Two factor authentication helps you ensure that you have a failsafe in the event that your password is leaked or stolen. A criminal won’t be able to hack into your device with just your password; they will need the second factor to gain access. Therefore, when you use two factor authentication, your account is much more secure.

The Differences Between Two Factor Authentication (2FA) & Two-Step Verification (2SV)

Some companies offer two factor authentication, while some offer two-step verification. Although some companies use the terms interchangeably, there’s a fundamental difference between the two methods.

2FA, as we saw earlier, uses two different factors for the purpose of verification. For example, one factor is the password (something you know), while the other is one of the other two types of identifiers — a possession factor (something you have) or an inherent factor (something you are).

Contrary to the 2FA, two-step verification does not use possession or inherent characteristic as identifiers. Rather, it relies on two knowledge factors that you enter in quick succession.

So, how does this method verify? Well, the verification is done based on a one-time password (OTP) you receive via email or SMS text message on your mobile device or authenticator app. For instance, if you want to log in to your Google account (Google prefers 2SV), you must enter a password as a first step. In the second step, Google sends an OTP via authenticator, which verifies the presence of a registered device.

Some companies send SMS text messages containing the OTPs. However, using SMS text messages for this authentication factor isn’t considered as secure as using authenticator apps.

The following figure is a visualization of two-step verification:

A basic illustration of two step verification that shows
A visual representation of two-step verification

To learn more about what two step verification is and how it works, be sure to check out our other blog on the topic.

So, what are the benefits of two factor authentication that make it a much better alternative to passwords?

5 Benefits of Using 2FA For Small Businesses

There are numerous advantages of using two factor authentication instead of just passwords or even passphrases alone. Let’s evaluate them to gain a better understanding of the concept:

1. Two factor Authentication Provides Enhanced Security

Data from Ponemon Institute and Yubico that shows people often use sticky notes to manage their passwords
Data Source: Ponemon Institute and Yubico Report.

Some of the disastrous password habits observed in people include using weak passwords and sharing them with others. According to a Ponemon Institute and Yubico survey, 42% of the organization employees have a habit of jotting down their passwords on post-it notes and stick them on their workstations for easy access. This gives easy access to criminals as well.

A small business enterprise can limit access to its data by implementing two factor authentication to grant access. Even though employees are working remotely, they can use two-step authentication to verify their identity. Most likely, the criminal will not have access to both – password and identity verification.

2. Two Factor Authentication Helps You Mitigate Risks, Save Money

The losses businesses experience relating to data breaches can be significant, and certain factors can increase those data breach risks. For example, data from IBM’s Cost of Data Breach Report 2021 shows that companies with at least 60% of employee working remotely had higher average data breach costs than those with few remote workers.

But it’s not all bad news. For example, you can protect your enterprise by implementing tight security protocols, including 2FA, that mitigate many risks that lead to data breaches. If people have to take an extra step while logging in remotely to prove their identities, then you’ll help to weed out some of those fraudulent login attempts by cybercriminals.

3. Two Factor Authentication Helps Protect Your Reputation

Data from a study by Centrify and the Ponemon Institute shows that 62% of consumers report that they’ve been notified that their PII was either lost or stolen via data breaches. We know that a data breach costs an arm and a leg to an enterprise, but what happens after the breach? Does everything return to normal for affected customers? Are companies unscathed by the breaches in terms of their brand names and reputations?

Data source: Centrify and the Ponemon Institute’s report “The Impact of Data Breaches on Reputation & Share Value.”

Needless to say, it’s not uncommon for reputable brands to sustain reputational damage after a data breach. For example, Varonis cites BrandIndex data, which shows that Target’s brand index rating dropped from 20.7 in 2013 (the year they sustained a major breach) to 9.4 in 2014. Their slow recovery enabled Target to bring their brand index rating back up to 17.3 in 2018.

A breach can make a serious dent in the reputation and goodwill of the business. Therefore, you can encourage your customers to use two factor authentication for their own safety and to prevent the bad guys from accessing their accounts. This practice will also help build the trust of your customers as they will realize you are proactively trying to protect their data.

4. Two factor Authentication Is Easy to Implement

The Ponemon Institute and Yubico survey data shows that 56% of the individuals want to adopt easy-to-use new technologies that significantly improve account security. 2FA is one of the easiest ways to improve account security as it doesn’t require any specialized knowledge or training to use. Companies can guide their employees on the benefits of 2FA and how to use it in their regular cyber security sessions.

The same study also found that 46% of the IT professionals had to use 2FA to gain access to corporate accounts. Of the 51% of individuals who use personal devices to access work-related systems and data, more than half (56%) didn’t use 2FA to access work-related data while using their personal devices.  

These statistics prove that both IT professionals and users know the importance of 2FA for security, but they still don’t use it. The following chart represents the things users consider important for accessing information online:

A figure showing what customers think is important while accessing the online information (Source: Ponemon and Yubico Report)

The above graph illustrates that the customers’ top priorities are affordability and security, followed by ease of use. Two factor authentication fulfills all these criteria.

5. Two Factor Authentication Reduces Help Desk Password Reset-Related Workloads

Two factor authentication allows the user to select the form of identification they are comfortable with (as seen above). It is easier for the users to remember authenticators as they get personalized choice of identification method. It will be simpler for the employees to work from home or any other place with fewer security issues: this way, the productivity of an enterprise increases.

Password resetting (for customers and employees) takes time and effort. Continuous password resets can result in what’s known as “password panic” (yes, that’s an accepted term!). Data from OnePoll (on behalf of LastPass) shows:

  • 64% of the customers avoid using websites where they’ve forgotten their account passwords.
  • More than half of respondents indicate that they average at least five password resets a month.

Imagine the reduced productivity companies experience if their users are losing 10 minutes for each reset. A business can retain customers and reduce the workloads of their Help Desk employees who handle password resets by employing 2FA.   

Final Thoughts On Two Factor Authentication

Two factor authentication or 2FA is adding a layer of security to access an app or a website. This security layer identifies the person using the password as a legitimate person who has the authorization to access the account.

If a cybercriminal has your password, they won’t be able to access your account using it in isolation. They will also need your identifier — a possession factor such as a security token or an inherence factor such as a fingerprint to gain access. It is improbable that they can steal both in a single heist. So, more and more companies are encouraging their staff and customers to use 2FA or another form of MFA. It is the right time to jump on the 2FA bandwagon to gain customer support and enhance security for your business.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.