Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.
How Two-Factor Authentication Works infographic - Two-Factor Authentication

Click image to open full size

Computer Science

How Two-Factor Authentication Works

Two-Factor Authentication

Download PNG Save to Pinterest

Related Tools

Related Labs

Related Worksheets

Related Cheat Sheets

Two-factor authentication, often called 2FA, protects an account by requiring two different kinds of proof before login is allowed. A password is only one factor, so a stolen password by itself should not be enough to open the account. This matters because phishing, data breaches, and weak passwords can expose login information. 2FA makes the attacker also pass a second check, such as a code from a phone or a physical security key.

Key Facts

  • 2FA requires two different factors: something you know, something you have, or something you are.
  • Authentication decision: access is allowed only if factor 1 = valid and factor 2 = valid.
  • A time-based one-time password usually changes every 30 seconds.
  • Security keys often use public key cryptography, where the server stores a public key and the device keeps a private key.
  • If a password has probability P1 of being guessed and a code has probability P2 of being guessed, combined guessing probability is approximately P = P1 × P2.
  • Backup codes should be stored offline because they can bypass the normal second-factor device.

Vocabulary

Authentication
Authentication is the process of proving that a user or device is who it claims to be.
Factor
A factor is a type of evidence used to verify identity, such as a password, phone, fingerprint, or security key.
One-time password
A one-time password is a short code that is valid for only one login attempt or a short time period.
Phishing
Phishing is a trick that tries to make users reveal private login information on a fake or misleading page.
Public key cryptography
Public key cryptography uses a public key for verification and a private key that stays secret on the user's device.

Common Mistakes to Avoid

  • Treating 2FA as just a second password is wrong because the second factor should come from a different category, such as a device or biometric check.
  • Entering a 2FA code on any page that asks for it is unsafe because phishing sites can capture codes and use them quickly.
  • Storing backup codes in the same email account they protect is risky because an attacker who gets into the email may also find the recovery codes.
  • Assuming SMS codes are the strongest option is incorrect because phone numbers can be stolen through SIM swapping or intercepted in some attacks.

Practice Questions

  1. 1 A login password has a 1 in 100,000 chance of being guessed, and a 6-digit code has a 1 in 1,000,000 chance of being guessed. Assuming independent guesses, what is the chance an attacker guesses both?
  2. 2 A time-based one-time password changes every 30 seconds. How many different code windows occur in 10 minutes?
  3. 3 Explain why a hardware security key can protect against many phishing attacks better than a typed verification code.