Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Two-Factor Authentication (2FA)

A security mechanism that requires users to provide two distinct forms of verification before gaining access to an account or system.

Two-factor authentication (2FA) is a security measure that requires users to present two different types of evidence to prove their identity. These factors fall into three categories: something you know (a password or PIN), something you have (a phone, hardware key, or smart card), and something you are (a fingerprint or facial recognition). By requiring two factors from different categories, 2FA ensures that compromising a single factor alone is not enough to gain unauthorized access.

How It Works

The most common 2FA implementation combines a password with a one-time code. After entering a correct password, the user is prompted for a second factor. This might be a TOTP code from an authenticator app, a code sent via SMS, or a push notification to approve on a mobile device. Hardware security keys using the FIDO2/WebAuthn standard provide the strongest form of 2FA by using public-key cryptography, making them resistant to phishing attacks.

The enrollment process typically involves the user linking their second factor to their account. For TOTP, this means scanning a QR code. For hardware keys, it involves registering the key with the application. The application must also provide recovery options such as backup codes for situations where the second factor is unavailable, though these recovery mechanisms themselves become potential attack vectors if not properly secured.

Not all 2FA methods offer equal protection. SMS-based codes are vulnerable to SIM swapping attacks, where an attacker convinces a mobile carrier to transfer the victim's phone number to a new SIM card. TOTP codes can be phished in real time by proxy-based phishing kits that relay credentials and codes simultaneously. Hardware security keys remain the most resilient option because the cryptographic challenge is bound to the legitimate domain, preventing phishing entirely.

Why It Matters

2FA is one of the most effective defenses against account takeover, yet its implementation frequently contains bypasses that security assessments uncover. Common findings include missing 2FA enforcement on sensitive actions, bypassable enrollment flows, lack of rate limiting on code entry, and fallback mechanisms that weaken the overall security posture. Evaluating the full lifecycle of 2FA implementation is critical for understanding an application's authentication security.

Need your application tested? Get in touch.

Related terms

TokenTOTP (Time-Based One-Time Password)

Go deeper

Read full article

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment