The use of two independent mechanisms to verify the identity of a user. Authentication factors are categorized as follows:
1. What you know (password, PIN, personal data).
2. What you have (private cryptographic key, authentication token).
3. What you are (biometric scan).
4. What you do (speak a phrase, hand write a signature).
Any two of these four factors are used in two-factor authentication; for example, using a password with an authentication token (1 and 2) or using a password with a fingerprint scan (1 and 3). A password and security question such as "what is your grandmother's name" may be two factors, but they both fall into the "what you know" category, and both items could be acquired illegally from the same website. One factor from two of the four categories is more secure.
Cellphone Second-Factor Codes
Another common two-factor method is that after users log in with a password, a code is texted to their cellphone ("what you have"). Copying that security code from the phone into the login process provides the second factor. See FIDO
, smart card
and one-time password