Two-Factor Authentication Requirements: The Basics
There’s no getting around it: the password as we know it is dead. The information we keep online is too important to only safeguard with a single string of characters. Our security methods must evolve.
We’ve seen that evolution begin over the last decade or so. Users and system administrators have gradually moved beyond passwords to implement complex, dynamic approaches to security like zero trust architectures. In the past, one only needed a password to gain access. Now, administrators and users can use a combination of tools and policies that allow seamless authentication while still safeguarding against the most common types of attacks.
One of the most important authentication tools today is two-factor authentication (2FA). It’s a cost-effective measure required by many organizations that protects against key threat vectors. Your organization may be considering setting up a 2FA policy, or maybe you're an employee looking to learn about your organization's 2FA requirement. Let’s dig in to 2FA: what it is, why it’s essential, how it works, the two-factor authentication requirements, and how you can get started.
What is a 2FA policy and why is it essential to web security?
A two-factor authentication policy mandates a second verification step for application or service access to ensure login requests are really coming from the genuine user. 62% of organizations require MFA for their entire workforce. These policies are generally adopted by organizations that prioritize data security, ranging from tech companies to financial institutions, and healthcare providers to higher education institutions.
Enforcing a 2FA policy is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
2FA also does something that’s key to maintaining a strong security posture: it actively involves users as knowledgeable participants in their own digital safety. When a 2FA notification comes to a user, they must answer the question, “Did I initiate that, or is someone attempting to access my account?” While most other web security methods are passive, and don’t involve end users as collaborators, 2FA underlines the importance of security with each transaction.
How does 2FA work?
Different 2FA methods use varying processes, but they all rely on the same underlying workflow.
Typically, a 2FA transaction happens like this:
The user logs in to the website or service with their username and password.
The password is validated by an authentication server, and if correct, the user becomes eligible for the second factor.
The authentication server sends a unique code to the user’s second-factor device.
The user confirms their identity by approving the additional authentication from their second-factor device.
While the basic processes behind multi-factor authentication are generally the same across providers, there are many different ways to implement it, and not all methods are created equal. Let’s dive into the various types of 2FA.
What are the two-factor authentication requirements?
Two-factor authentication requirements include a combination of two distinct forms of evidence to verify a user's identity. Three common approaches to 2FA involve the user proving they know something (like a password or PIN), have something (such as a mobile device or time-based passcode), and are something (using biometric verification like a fingerprint or facial recognition).
Let's break down the different 2FA types admins often require users to verify their identity with:
Authenticator apps: Authenticator apps are handle the second-factor approval process as standard notifications. Authenticator apps such as Duo Mobile use internet connectivity to deliver login approval requests, which is more secure than using phone lines.
Passcodes: Passcodes are the most common form of 2FA, and usually consist of a short string of numbers sent to an email or smartphone, either by SMS or as a time-based one-time passcode (TOTP) generated by an authenticator app on demand. Since SMS passcodes rely on phone lines—which can be compromised—they represent the least secure method.
Tokens: Tokens are typically small keychain fobs that generate codes for users to enter as their second factor. Tokens are generally affordable and more secure than cellular-delivered passcodes.
Phone callbacks: Phone callbacks are one of the less popular versions of 2FA, but they’re an effective—if time-consuming—way to implement a second factor. In a phone callback, a user logs in, then they receive an automated phone call that prompts them to approve or deny the access request.
Biometrics: Authenticator apps, built-in smartphone features, and hardware tokens can verify a user's identity with biometric data, such as fingerprints, facial recognition, or retina scans.
Does two-factor authentication require security questions?
Most 2FA solutions do not require security questions for identity verification at each login attempt. However, many applications and services require multiple security questions to reset a password. Check the specific two-factor authentication requirements for the applications you want to secure to find out if security questions are supported.
What are the two-factor authentication system requirements for Apple and Android?
System requirements for two-factor authentication apps include access to an Apple ID or Google account, a trusted device or phone number, and an internet connection. The most recent software upgrades are often required to ensure your device is protected by the latest security patches. Biometric scanners, such as fingerprint readers or facial recognition software, may also be required by your administrators.
It is important to note that specific system requirements, including device compatibility, vary by provider.
How to get started with 2FA?
Because 2FA is a cloud-based service, it’s relatively easy to implement and can be rolled out gradually to your organization. The basic process for getting started goes like this:
Choose your 2FA solution: Determine which 2FA service you’ll be using. Take advantage of our Two-Factor Evaluation Guide to get a handle on all of the features you can (and should) get from a web security product that includes 2FA. A strong security platform will both make it easy to set-up multi-factor access with your most important apps and provide other avenues of defense, like customizable access policies. We’ve designed Duo Beyond to meet these needs, which you can learn more about here.
Select your integrations: Make sure your 2FA solution will integrate with each of your critical systems, services, and applications. An integration is a means of getting the application or service to work with 2FA. For example, Duo Beyond includes integrations for everything from larger systems like Salesforce CRM to smaller applications like Slack.
Test your 2FA solution: Establish a proof of concept with a small group of users in a low-stakes environment. Before you roll out 2FA to your entire organization, test it out first and address any issues you identify. Get a small group of users who will be communicative about the process and work with them ahead of time to understand how it will work for them.
Evolve with 2FA
In the post-password world, strong web security relies on a dynamic approach built from a variety of tools and policies. It’s important to never rely on any single method for comprehensive protection. That means two things: (1) if you’re currently relying on passwords alone, it’s time to evolve, and using 2FA is a solid first step; and (2) 2FA is an essential security tool, but it becomes even more effective when it’s used as part of a coordinated strategy of security applications and policies.
Get started on your zero trust journey today with Duo's 2FA Evaluation Guide and discover what to look for in a 2FA solution that best benefits your business!