How and Why Two Factor Authentication
Introduction
As more and more apps started promoting—or even requiring—two-factor authentication (2FA), I ended up installing Google Authenticator on my phone. But to be honest, for a long time all I really knew was: “open the app and type in the six-digit code.” I never actually understood why the code keeps changing or how the server verifies it. It wasn’t until recently, while testing some login-related logic, that I finally went back and filled in this gap in my understanding.
Authentication Factors in Cybersecurity
- What you know: Passwords, PIN codes
- What you have: Phone, physical keys, app-generated codes
- What you are: Fingerprints, face, iris
Two Factor Authentication (2FA)
Compared to traditional single passwords:
- Database breaches leading to password leaks
- Users reusing passwords, weak passwords, forgetting passwords
- Replay attacks
- Social engineering or phishing websites
To enhance security, two factor authentication requires two or more different authentication factors. Security usually comes from the combination of different types of factors rather than stacking the same type. For example:
- Password + SMS verification code
- Password + Google Authenticator verification code
- Password + fingerprint
One Time Passwords (OTP)
An OTP is a password that can be used only once and typically has time or event constraints. Even if an attacker intercepts an OTP, it is hard to reuse it within its validity period. OTP is not a single technology but a concept, with various implementation methods, each having its pros and cons:
| OTP Type | Description | Advantages | Disadvantages | Common Use Cases |
|---|---|---|---|---|
| SMS OTP | Server generates a random code and sends it via SMS to the user’s phone | Easy to implement, user familiarity, no extra app required | SIM swap attacks, possible interception or delays, sending costs | Traditional website logins, low-risk banking operations |
| Email OTP | Sends a one-time authentication code to the user’s email | Low cost, easy implementation, does not rely on mobile | Email may be compromised, poor immediacy | Registration verification, password recovery processes |
| Hardware (Token OTP) | Uses a physical device to generate regularly changing OTPs | Does not rely on the internet, high security, hard to attack remotely | High cost, replacements needed if lost, inconvenient to carry | Internal enterprise systems, financial institutions |
| App OTP (TOTP) | Generates OTP based on time through an app (e.g., Google Authenticator) | No need for the internet, standardized, high security, low cost | Secret leaks become invalid, might be subject to real-time phishing | Mainstream 2FA, cloud services |
| Event-based OTP (HOTP) | Generates a new OTP by incrementing a counter after each use | Not time-dependent, unaffected by clock drift | Can easily go out of sync, implementation is complex | Specific hardware tokens |
From a security and practical perspective, TOTP is currently the most balanced OTP solution in terms of security, cost, and user experience. It is also the mainstream choice for modern 2FA, utilized by Google Authenticator, Microsoft Authenticator, and Authy.