Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). It protects the user from an unknown person trying to access their data such as personal ID details or financial assets.
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly-generated and constantly refreshing code which the user can use.
Two-step verification or two-step authentication is a method of confirming a user's claimed identity by using something they know (password) and a second factor other than something they have or something they are.
- No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time.
- As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information.
- Depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available, transmission/reception problems do not therefore prevent logins.
- Users may still be susceptible to phishing attacks. An attacker can send a text message that links to a spoofed website that looks identical to the actual website. The attacker can then get the authentication code, user name and password.
- A mobile phone is not always available—they can be lost, stolen, have a dead battery, or otherwise not work.
- Mobile phone reception is not always available—large areas, particularly outside of towns, lack coverage.
- SIM cloning gives hackers access to mobile phone connections. Social-engineering attacks against mobile-operator companies have resulted in the handing over of duplicate SIM cards to criminals.
- Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Thus third parties can steal and use the token.
- Account recovery typically bypasses mobile-phone two-factor authentication.
- Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor.
- Mobile carriers may charge the user for messaging fees.
Advances in research of two-factor authentication for mobile devices consider different methods in which a second factor can be implemented while not posing a hindrance to the user. With the continued use and improvements in the accuracy of mobile hardware such as GPS, microphone, and gyro/acceleromoter, the ability to use them as a second factor of authentication is becoming more trustworthy. For example, by recording the ambient noise of the user's location from a mobile device and comparing it with the recording of the ambient noise from the computer in the same room in which the user is trying to authenticate, one is able to have an effective second factor of authentication. This[clarification needed] also reduces the amount of time and effort needed to complete the process.[citation needed]