red-sift-two-factor-authentication-2fa

Two Factor What? Everything you need to know about Two Factor Authentication (2FA)

What’s the first thing you think about when someone mentions keeping your online accounts safe? We bet it’s having a long, complicated password. And this is because for many years, having a strong password was the main way to secure an account.

But passwords are vulnerable. And every time a B2C company is hacked, there’s a high chance that your login details have been compromised and will soon be available for criminals to purchase on the dark web. That’s where security measures like Two Factor Authentication come in.

What is Two Factor Authentication?

Two Factor Authentication (also known as 2FA or 2-step verification) is the practice of setting up an added layer of security to your logins. It allows an application to link your user to an authentication mechanism (i.e. Google authenticator app or your mobile phone). When you enter your password to login, it generates a number that expires quickly and is recognized by the application to confirm that your login is valid.

Most applications that deal with sensitive data provide support for 2FA, some of these applications being email, cloud storage, banking, business applications etc.

Why is Two Factor Authentication important, and why aren’t passwords enough?

There is a constant security threat to any organization that provides services over the internet – which is a lot of businesses. Cyberattacks are becoming increasingly sophisticated, and a successful one makes it possible for third parties to steal long lists of usernames and passwords. With this information, third parties can gain access to these accounts and can attempt an account takeover.

This risk is further exacerbated by the fact that many people use the same password in many applications. This means that when attackers get access to someone’s username and password combination, they can access several of that person’s applications.

So, an easy way to prevent this type of unauthorised access is to activate Two Factor Authentication, particularly in applications that contain sensitive data. Preventing access to your account can help protect your personal information and prevent further leaks or loss of data. When you have 2FA active and a third party tries to gain access to your account using your username and password, they will be asked for the 2FA number which they will not have, preventing access to your account.

What are the different types of Two Factor Authentication?

While they all work under more or less the same premise, there are a number of different types of two factor authentication available:

Authenticator App 2FA: this is where the user downloads a free authenticator app to their mobile device. When the user attempts to log in, they’ll need to open the app and use the unique one time passcode (OTP) provided.

SMS text or voice-based 2FA: this is where the user is sent a unique code via text message to a mobile device. Alternatively they’ll receive a call to their phone number with their code. The user then needs to enter this code to complete their login.

Push-based notification 2FA: this is when a notification is sent to the relevant app already installed on the user’s phone (for example the Gmail app). Then the user just needs to approve.

Hardware token/key 2FA: this is one of the earlier forms of 2FA, and is when the user is issued with a device which they use to receive a numeric code for login.

Biometric approval: this is a relatively new addition to the 2FA world, where the user provides a piece of biometric data (i.e. fingerprint or facial recognition image) and this is used to compare and confirm their identity at login.

Remember to protect your recovery codes

Recovery codes are one-use codes issued when you’re setting up 2FA. Remember to keep a record of them, as they’ll enable you to access your account if your authentication device (i.e. mobile phone) is lost or stolen.

Why doesn’t everyone use Two Factor Authentication?

Two Factor Authentication may sound like a no-brainer, but worryingly, ‘How to turn off two factor authentication’ is quite a popular Google search term.

Simply put, people like convenience. People are accustomed to using just their password when logging in to an account, which in many cases is stored in their computer or browser. So, having to open an app or pull a key to log in to their account is more time consuming.

But while 2FA may add another step to your login process, in a world with an ever-increasing risk of account takeovers, the security it provides is invaluable. More and more applications offer it, and a large number of companies are now making it mandatory for their employees. This is particularly significant during these post-COVID times, when working from home and logging in remotely is now the norm in most businesses.

What’s the difference between Two Factor Authentication and Multi Factor Authentication?

Two Factor Authentication and multi factor authentication aren’t that different. Whereas 2FA uses just one other device to authenticate a user’s login, multi factor may use a number of devices or factors to authenticate. Some companies with a lot of sensitive, financial, or personal information at risk may choose multi factor authentication as an added measure.

How to see if you’ve been part of a data breach

It doesn’t matter if your password is complex or long, or if you have different passwords for different accounts. The truth is if your password has been part of a data breach then your account is at risk.

haveibeenpwned.com is a useful tool that helps you check if your email and password have ever been part of a data breach. Google also offers a similar functionality that allows you to check if any of your passwords stored in the Chrome password manager are part of an exposed data breach.

Does Red Sift offer Two Factor Authentication on its products?

Of course! If you want to activate 2FA in your OnDMARC application you can go to My Account (top right), scroll down to Security and click on Enable two-factor authentication. You can also consult our step-by-step article.

Not an OnDMARC customer but want to try it out? Why not sign up below for your free trial.

PUBLISHED BY

Gino Coquis

16 Aug. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BIMI

VMC and CMC updates: 5 key takeaways

Jack Lilley

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) continue to evolve, and staying up to date is crucial for organizations looking to authenticate their logos and enhance brand trust in email communication, this includes adhering to version 1.7 of the Minimum Security Requirements.  In this blog, we break down the 5 key changes…

Read more
Certificates

Let’s Encrypt & Red Sift webinar recap: A new era for certificate…

Francesca Rünger-Field

Every day, businesses rely on TLS certificates to keep their digital operations secure. But when those certificates expire unexpectedly, the consequences can be severe—websites go down, critical services break, and customer trust is lost. Even as automation has made certificate issuance and renewal easier, it hasn’t eliminated the problem. Organizations still find themselves blindsided…

Read more
Cybersecurity

Moving cybersecurity upstream to achieve resilience

Sean Costigan

The traditional approach to cybersecurity—often tacked on as an afterthought—needs a serious overhaul. This was the consensus in the recent MN-ISSA sponsored fireside chat titled “Moving Cybersecurity Upstream to Achieve Resilience,” where industry experts gathered to explore the integration of security measures right from the early stages of software development and strategic planning. Held…

Read more
Certificates

Six-day certificates: Here’s what you need to know

Francesca Rünger-Field

In January 2025, Let’s Encrypt announced a major step forward in enhancing web security: the introduction of six-day certificates, also known as “short-lived” certificates. This initiative aligns with Let’s Encrypt’s commitment to strengthening the Public Key Infrastructure (PKI) ecosystem and is set to roll out for general availability by the end of 2025. Why…

Read more