Last reviewed: July 2015

What Is Two-Factor Authentication?

It is the use of two independent means of evidence (factors) to assert the identity of a user requesting access to some application or service to the organization that provides the application or service. The objective of two-factor authentication, as a method of electronic computer authentication, is to decrease the probability that the requestor is not who he/she claims to be (i.e., providing false evidence of his/her identity.) Two-factor authentication is achieved by a combination of any two of the three "Somethings" below:

Something you know

Something you have

Something you are

Note that the use of a password in combination with a PIN, for example, is NOT considered two-factor authentication because both pieces of information involve a single factor - something you know.

The use of two-factor authentication has been pervasive and ubiquitous for quite a long time already. Any person who has used an ATM machine to withdraw cash for a bank account has used two factor authentication – you had to provide something you had (a card) and had to provide something you know (a PIN) in order to complete the transaction.

What Is The Difference Between Two-Factor and Multi-Factor Authentication?

The subtle difference is that, while two-factor authentication uses exactly two factors to assert the identity of a user, multi-factor authentication uses two or more factors to assert identity. In essence, two-factor authentication is a subset of multi-factor authentication. An example of multi-factor authentication would be the requirement to insert a smart-card (something you have) into a smart-card reader, enter a PIN (something you know), and provide a valid fingerprint (something you are) provided via a biometric fingerprint reader. This example uses three factors to assert the identity of a user.

What are the Business Reasons to Consider Two-Factor Authentication?

Privacy, and the threat of identity theft, is increasingly a concern as more of personal information finds its way to online applications.  In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking, consequently, no longer providing adequate protection for mission-critical information system and applications containing Personally Identifiable Information (PII), Personal Health Information (PHI), and other confidential information.  Some specific concerns:

See Passwords, a presentation at the NWACC Security Conference 2009, for a in-depth review of all the reasons why it makes good business sense to consider two-factor authentication as alternative to traditional passwords. 

Compliance is also driving adoption of two-factor authentication in other areas – three examples:

Other requirements for two-factor authentication include Internet banking. For that reason, the Federal Financial Institutions Examination Council (FFIEC) strongly recommends two-factor authentication for consumer online banking services. Specifically, in its Supplement to Authentication in an Internet Banking Environment, under Customer Authentication for High Risk Transactions, it states "Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multi-factor authentication to their business customers."

Check out Breaking the Ubiquitous Two-Factor Barrier, presented by Jane Drews (University of Iowa and Quinn Shamblin (Boston University) at the 2015 Security Professionals Conference. For other recent presentations visit access control and identity and access management in the EDUCAUSE library. 

Learn more about Two-Factor Authentication with Duo Push by visiting the Internet2 NET+ website.

Also see Client (Personal) Certificates: Should We Be Thinking About Certificate Use Cases or Should We Be Thinking About The Sort of Credential Deployment Model We Need? (a presentation at the 2011 Internet2 Member Meeting) for questions to ponder when considering deployment of two-factor authentication.

What Technology Is Available?

1. Second Channel Authentication - Mobile Phone-based

Though similar to two-factor authentication but different, second channel authentication allows individuals to use their mobile phone as a security token (i.e., what you have.) A Java application installed on the mobile phone performs the functions normally provided by a security token. Other methods of using the cell phone include using Short Message Service (SMS) messaging, prompting an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS. Second channel authentication uses a mobile phone via a cellular network in addition to the computing device connected via an IP connection.  This authentication method is already in use in online shopping, with Google's version of two-factor authentication built within the Google shopping cart.

See Mobile One-Time-Passwords (OTP)Google Authenticator, and DuoSecurity for information on implementation of OTP via mobile phones. Additional implementation options include:

2. Security Tokens

A small device that an individual possesses and controls used to authenticate the individual's identity. It provides the "what you have" component of two-factor authentication since it is used in addition to another piece of evidence (e.g., a password) to prove that individuals are who they claim to be. A token generates a unique code that is combined with an individual's password to create an electronic "ticket" that authenticates the individual and encrypts the transmission to ensure data integrity. Security tokens come in different types. The most common are:

Hardware Tokens: Physical devices small enough to be carried in a pocket or attached to a keychain. They may store digital credentials, a digital certificate, or digitized biometric data (e.g., a fingerprint).  Some hardware tokens include input and output intefaces like a small keypad to enter a PIN or a button to generated a key number and a display window to show it. They can also include a Bluetooth wireless interface to enable transfer of the generated key number to a client system.

Hardware tokens also come in different types.  Some of the most common are:


  • Mature technology
  • Compatible with a large number of applications
  • Easy to carry
  • Strong second factor


  • Easily lost and/or forgotten
  • Medium/high time and effort to deploy and maintain
  • Comparatively medium/high cost of ownership / deployment though purchase costs are declining. 

Who Is Using It (this is just a sample list):

USB Token: A specific type of hardware token designed to include a Universal Serial Bus (USB) connector. A USB port is standard equipment on today's computers. USB tokens are normally used to store digital certificates.  They plug into a computer's USB port and, in some cases, individuals are prompted to enter their PIN to unlock/pass the digital certificate.

Some USB tokens may need drivers to be installed while others may come with self-installing drivers but that only work with certain versions of Windows.


  • Mature technology
  • Easy to Carry
  • Strong second factor


  • Easily lost and/or forgotten
  • Comparatively medium / high cost of ownership / deployment
  • Can be time consuming to maintain
  • Requires USB port (or adapter) on the user device

Who Is Using It (this is just a sample list):

Software Tokens: Non-physical device that is stored on a desktop computer, laptop, Personal Digital Assistant (PDA), or mobile phone. As in the case of hardware tokens, they may store digital credentials or a digital certificate.


  • Comparatively lower cost of ownership / deployment
  • Compatible with a large number of applications
  • Easier to deploy than a hardware token
  • Strong second factor but not as strong as hardware token


  • Some argue that a software token can be copied so they're not a true version of "something you have"
  • Can be time consuming to maintain
  • Software tokens stored on-devices are less secure than software tokens stored off-devices (e.g., hard tokens)

Who Is Using It (this is just a sample list):

3. Smart Cards

A pocket-sized card, similar to credit card, with embedded integrated circuits that communicate with external devices via a card reader.

Smart cards can be programmed to provide identification and authentication services. The most advanced cards include encryption hardware that uses algorithms that support the NIST standard for Personal Identity Verification (FIPS 201) and/or secure Bluetooth-enabled card readers to link smart cards to users' smart phones but the readers can be expensive.

Similar to USB tokens, they also provide the "what you have" component of two-factor authentication since with a smart card an individual authenticates by using a PIN in combination with a smart card that contains the individual-specific information.


  • Easy to carry
  • Can be tied to physical security strategy (ID Badge)
  • Strong second factor with use of PIN
  • Use of encryption, therefore the information is more secure.


  • Cards can be lost or stolen
  • Comparatively medium / high cost of ownership / deployment
  • Smartcards need card readers

Who Is Using It (this is just a sample list):

4. Biometrics

The use of intrinsic physiological and behavioral characteristics to authenticate a particular individual. Most biometric-based authentication follows a four-step process:

  1. Create a sample of individuals' biometric characteristics during an enrollment process. A profile of an individual's characteristics can be built based on a specific number of samples given.
  2. Unique data are extracted from the sample and a template is created.
  3. The template is compared with a new sample provided during authentication.
  4. Access is determined by matching the features extracted from the new sample with those of the template.


    • Strong second factor
    • Meet security requirements of integrity and nonrepudiation when combined with digital signatures


    • Requires relatively more complex and expensive technology
    • Requires calibration through multiple image captures to minimize the probability of erroneous rejection of authorized individuals or erroneous acceptance of unauthorized individuals
    • Concerns about accuracy, privacy and security of biometric indicators, and potential inconvenience make user acceptance difficult
    • Adds complexity to replacement of compromised credentials (e.g., how do you revise the template created from an individual's iris scan or thumbprint)
    • Illness or injury might make it difficult or impossible for individuals to authenticate
    • Potential accessibility barriers for disabled individuals

Questions to Ask IF Selecting Biometrics

A number of biometric technologies measure different physiological and behavioral aspects of an individual


Fingerprint Recognition

Signature Characteristics

Palm Scan

Hand Geometry

Retina Scan

Iris Scan

Keyboard Dynamics

Voice Print

Facial Scan


Examines the unique ridge endings and bifurcations displayed by friction ridges of an individual's fingerprint

Often referred to as dynamic signature verification (DSV), examines how individuals sign their names

Examines the unique creases, ridges, grooves in an individual's hand. Also scans the fingerprints of each finger.

Examines the length and width of an individual's hand. The system compares the geometry of each finger and the hand as a whole

Examines the blood vessel patterns of the retina on the backside of the eyeball

Examines the colored portion of the eye that surrounds the pupil. The iris has unique characteristics (e.g., colors, rings, etc).

Examines the speed and motion used by an individual when typing a specific phrase

Examines an individual's speech sounds and patterns when saying a sequence of words

Examines facial characteristics of an individual - bone structure, nose ridge, eyes width, forehead size, etc.


High accuracy level,
Standards based on the FBI Automated Fingerprint Identification System (AFIS).

Important to note that not all fingerprint recognition technology is the same and is equally accurate.

Low accuracy level


Medium/ Low accuracy level despite highly stable pattern over individual life

The most accurate biometric authentication

The second most accurate biometric authentication. Iris remains unchanged throughout life so iris scan has longer useful life.

Low level of accuracy. Subject to significant variances due to changes of behavior and posture

Medium accuracy level. Can be impacted by circumstances like a cold

Medium / low accuracy level. Pretty good at full frontal views but has problems with angle views, profiles, and varying facial expressions

User acceptance

Average acceptance though it is the most used and most practical biometric

Very high acceptance level. The signature is the most common form of authentication in the paper world

Average acceptance

High acceptance

Least level of user acceptance

Average acceptance

High acceptance

High acceptance

Average acceptance

Relative Cost

Medium / Low









Application interface

Scanner. Easy to use and require little space

Optic pen and touch panel. More sophisticated devices can measure:
the angle of the pen, the pressure applied, the time taken to sign, and the velocity and acceleration of the signature


Scanner. Easy to capture but system requires large physical space

Reader. Requires direct contact with a cup reader

Reader. Does not require direct contact with the reader


Microphone or telephone. Commonly available sensors Hands-free and eyes-free operation


Special Requirements


Requires individuals to sign their name with a special pen on a sensitized reader or pad




Acquisition of iris image requires more training than most biometrics




Privacy Concerns

Privacy concerns of criminal implications


Same as fingerprint


Can reveal personal medical conditions like high blood pressure and pregnancy

None. Does not reveal personal medical conditions




Sources: The Biometrics Consortium; The Biometrics Research Group; Biometrics Overview; and James Michael Stewart, Ed Tittle, Mike Chapple "CISSP Study Guide", Third Edition

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).