All About Two-Factor Authentication

Two-factor authentication strengthens authentication by adding an extra step. But more specifically, what is it?

Posted on
4 minutes
809 words

The Principle

The idea behind two-factor authentication is to ensure that the user identifies themselves using two techniques that are very unlikely to be compromised at the same time.

The key phrase to remember is:

“Something you know, something you have.”

Note: This post was translated from french with the help of AI. The original post was written with the knowledge of a younger me.

In practice, this often involves a password (“something you know”) and a physical device (e.g., a message on a smartphone, “something you have”).

Two-factor authentication is just one method within a broader concept: multi-factor authentication.

Multi-Factor Authentication

When you watch a spy movie with a secret base, you sometimes see the hero or villain scan their iris, type a code on a keyboard, place their hand on a pad, and even spit into a sensor before opening the door. That’s multi-factor authentication.

You may encounter or implement an authentication chain, meaning several authentication steps are required, and if one fails, authentication stops.

In some real-world high-security scenarios, more than two steps are used. But most of the time, two steps are enough.

Methods (and Their Pitfalls)

SMS

The most common two-factor authentication method is SMS.

This is the weakest method because it’s easily hackable. With enough resources, a hacker can compromise SS7.

SS7 is the network layer that routes SMS messages. Designed in the 1970s, it’s long outdated and has been exploited in real attacks ( NextImpact article in french).

It’s also inconvenient in areas with no mobile network coverage.

PUSH

Another method used by some services is push authentication. This involves a notification sent to your smartphone asking for your approval. The message is pushed by the service to your device.

This requires an internet connection on your phone, which can be a weakness because hackers can attempt to intercept these notifications.

HOTP/TOTP

The second most common method is HOTP/TOTP (HMAC-based One-Time Password / Time-based One-Time Password).

  • HOTP (“One-time password based on HMAC”) generates a unique password using a cryptographic HMAC and a counter.
  • The user installs an app on their smartphone that generates a 6-character token on demand. This token is generated using:
    • A seed stored both in the web service account and the app.
    • A counter that increments in sync between the service and the app.

When the user enters the token, the web service compares it with its own calculation. If they match, authentication succeeds. The service knows it’s from the user’s smartphone because only that device holds the seed.

The seed is usually transferred from the service to the user via a QR code.

  • TOTP (“Time-based One-time Password”) extends HOTP by using the current time (typically 30-second intervals) instead of a counter. TOTP is much more widely used than HOTP.

We recommend using FreeOTP to generate tokens on smartphones or other devices:

These methods do not require internet or SMS connectivity, making them safer. Hackers can’t intercept messages because no messages are sent.

Hardware Devices

The most secure method is to use a dedicated hardware device. During setup, the device is linked to your account on the web service. Thanks to cryptographic recognition (the device contains an asymmetric key), the service recognizes it as “something you have” for authentication.

The downside: you have to carry an extra device—and not lose it!

Some banks also provide hardware tokens tied to your bank card, often using TOTP internally.

Recovery Codes

While not strictly “something you have,” recovery codes are the best backup method if you lose your device or smartphone. It’s a list of single-use tokens you can use instead of your primary factor.

Store this list in a very secure location and only use it as a last resort.

Attacks

These solutions aren’t perfect and can be targeted by attackers.

Social Engineering

In SMS-based two-factor authentication, attackers can use social engineering. For example, DeRay McKesson’s case.

Hackers impersonate the phone owner with the carrier, request a SIM card swap, and once their SIM is activated, they receive all of the victim’s SMS messages.

Proxy Attacks

Attackers can also intercept via proxies, either by:

  • Creating a fake mobile network nearby to intercept SMS ( NextImpact article in french), or
  • Setting up a phishing site that mimics the real one to capture credentials and tokens. This is known as a homograph attack or typosquatting.

Mitigation: Use hardware authentication or always check the website domain name.

Example: If you intend to visit “douce-framboise.com”, make sure it’s not “douce-framb0ise.com”.

Forgotten Authentication Paths

Sometimes web service maintainers forget that the main login page isn’t the only access point.

Examples:

  • Password reset via an email link may bypass two-factor authentication.
  • Using external services via APIs (like Google or Facebook OAuth2 login) might also skip two-factor checks.

Always ensure two-factor authentication is enforced for all access paths to your users’ data.