What is Two-factor Authentication (2FA)? by ECPI University

What is Two-factor Authentication (2FA)?

The ancient Egyptians invented door locks some 6,000 years ago, using a wooden pin tumbler system. This lock inspired Linus Yale to make a far sturdier one in metal in 1865. The Egyptian lock—all two ponderous feet of it—could be called a one-factor authentication system: either you had the right wooden key or you didn’t. Two-factor authentication dates from 1985, when Kenneth Weiss came up with and patented “an apparatus for the electronic generation and comparison of non-predictable codes.” 

The Cyber Dilemma

No human can keep up with the pace of today’s internet activity and e-commerce. The delightfully archaic signature pad for credit card transactions has its origins in a time when actual people actually looked up a small percentage of merchant card receipt signatures to verify their authenticity. National Public Radio provides a thorough and absorbing history of this rudimentary two-factor authentication. You own the card and you are your unique signature.

Two-Factor or the Same Factor Twice?

Two-step authentication is not the same as two-factor authentication (2FA). Say you log onto a site and the site says it will send you a unique passcode to your Smartphone. That is actually a two-step authentication (the text message is not secure, meaning it has the same level of [in]security the password has).

To get two-factor authentication, you need two of three different parameters: 

  1. What you know: A Personal Identification Number (PIN), or user-generated password
  2. What you have: A mobile phone, or a credit card or special passkey with a radio frequency identifier (RFID) chip in it
  3. What you are: A fingerprint, signature, retinal scan, voice recording, or similar biometric

Using any two of these should guarantee what’s called “Out-of-Band Authentication,” in which authentication arrives via two separate channels. The “what you are” category should be part of a two-factor system with either of the other two, say the experts at Infoworld. Gmail, for example, allows you to insert a USB security key—a FIDO Universal 2nd Factor (U2F)—into your computer. This means the password is over an internet system (vulnerable) but the USB key is physically with you—an out-of-band device. 

Methods of providing 2FA include: 

  • E-mail
  • Hardware token
  • Push notification
  • Software token
  • Telephone call
  • Texts (SMS)

In organizations like the National Security Agency (NSA) and financial institutions, the spy-movie sort of 2FA is becoming routine: 

  • Iris scan
  • Voiceprint—No, you are not asked only for your name in real voiceprint 2FA; the system will originally record you saying a series of words, and then request a random selection of these, foiling attempts to use your recorded voice to get in

You may already have a computer, Smartphone or other device that offers fingerprint or face ID security. In the future you may be able to stop memorizing ever-shifting passwords and instead rely on who you are: your fingerprint, your face, voice print, iris scan, or even DNA. 

Nothing is Invulnerable

Ask RSA, the security authentication company that was hacked in 2011, if they can prevent every cyber security leak. They can’t, and they are the issuers of SecurID authentication tokens! The little plastic tokens flash a new number every 60 seconds. The flashing number is calculated from two things, a 'secret seed' unique to that device and the time of day. So your one-time password comes from that time-sensitive algorithm.

And yet this brilliantly conceived device may have been undermined. RSA offered to replace tokens if users felt threatened by the breach, but nobody really knew with certainty what information was burgled. 


From backing up files and syncing your devices to paying your cable and utility bills, companies are becoming progressively more aggressive in suppressive techniques against ingressive hackers. 

By using 2FA, you prevent cyber thieves from remote attacks: 

  • Phishing
  • Credential Exploitation
  • Account Recovery impersonation

Password managers can corral all those site passwords under one master list and are, of course, 2FA compliant. Unsurprisingly, many successful hacks garner valuable information from social media sites such as Facebook, Snapchat, Twitter, and the like. So many of these sites at least provide the option for 2FA. 

Cyber Security

Truly immerse yourself in the world of 2FA and cyber security by pursuing a Master of Science degree in Computer and Information Science. ECPI University provides two different concentrations: Cyber Operations or Cyber Security Policy. Through the innovative program, you can attend for 16 months and emerge with a strong foundation built around the NSA’s and Department of Homeland Security’s program requirements for designation as a Center of Academic Excellence in Information Assurance/Cyber Defense. Contact ECPI today to learn how you can unlock the key to your future through cyber security. It could be the Best Decision You Ever Make!

Learn more about ECPI's College of Technology TODAY!

DISCLAIMER – ECPI University makes no claim, warranty, or guarantee as to actual employability or earning potential to current, past or future students or graduates of any educational program we offer. The ECPI University website is published for informational purposes only. Every effort is made to ensure the accuracy of information contained on the ECPI.edu domain; however, no warranty of accuracy is made. No contractual rights, either expressed or implied, are created by its content.

For more information about ECPI University or any of our programs click here: http://www.ecpi.edu/ or http://ow.ly/Ca1ya.