Two-Factor Authentication

Systems and software commonly talk about two-factor authentication, also known as 2FA. It is essential to understand what 2FA is to ensure users accept it.


The first step in understanding 2FA is to define the word factor. A factor refers to a type or style of authentication. Software systems utilize multiple factors. We will focus on three common types.

The Factors

Knowledge Factor - The knowledge factor is something that you know. For example, a password or PIN is something that you know.

Possession Factor - A possession factor is something that you have. For example, you may have a device that generates a code every 30 seconds. 

Inherence Factor - The inherence factor is something that is inseparable and permanent. I like to explain it as something you are. For example, your fingerprint and iris pattern is unique to you and do not change.

If we consider the factors above, we can combine two of them to generate two-factor authentication. For example, you might use a website that uses a password, and token for login. This site is using a knowledge factor (the password) and a possession factor (the token) to implement 2FA.


As another example, you can think about Nexus or Global Entry. These tools require scanning your passport/card and your fingerprints when entering the United States. This authentication is the possession factor (the passport) and the inherence factor (the prints) for 2FA.


The final question is, why do we need two factors? Utilizing two-factors increases overall protection and prevents many common types of authentication attacks. For example, a password and token protect you against leaked passwords, brute force login attempts, phishing attacks where people try to gain access, and more.