The use of two independent mechanisms to verify the identity of a user. There are four authentication factors as follows:
1. What you know (password, PIN, personal data).
2. What you have (private cryptographic key, authentication token).
3. What you are (biometric scan).
4. What you do (speak a phrase, hand write a signature).
Any two of the four are used in two-factor authentication (2FA); for example, using a password with a token (1 and 2) or a password and fingerprint scan (1 and 3). A password and security question such as "what is your grandmother's maiden name" may be two factors, but they both fall into the "what you know" category, and both could be acquired illegally from the same website. One factor from two different categories is more secure.
Cellphone Second-Factor Codes
Another common two-factor method is that after users log in with a password, a code is texted to their cellphone ("what you have"). Copying that security code from the phone into the login process provides the second factor. See FIDO
, smart card
and one-time password
Cellphone two-factor authentication is increasingly used for financial transactions. The transmitted verification code is only valid for a short period of time before it expires.
A Backup for 2FA
In this situation, users are given a temporary authentication code in case the phone were ever lost.