What is two factor authentication, and how can it protect you and your business?

With so many key aspects of our lives now managed online, digital security is more important than ever. 

Whether you’re browsing retail sites on your laptop at home or logging into an accounting tool on your phone to check your small business finances while on the train, you’ll want to feel confident that any online accounts you’ve signed up to are accessible only to you. That’s where two factor authentication, or 2FA, comes in.

This is a security protocol designed to prevent attempts by fraudsters, cyber criminals or any unauthorised third parties from signing into other people’s online accounts to steal sensitive personal data, fund illicit shopping sprees and cause all kinds of other problems. 

Having a good understanding of 2FA can bring peace of mind about your online activities, both as a consumer and small business owner. With that in mind, we’ve put together this guide to 2FA, what “factors” are, and how two factor authentication is also used to safeguard online payment methods.

What does two factor authentication mean?

So just what is 2FA? It’s simply a security system where anyone attempting to log into an online account or make an online payment will need to verify their identity using two different methods before being permitted to proceed.

These methods are technically known as “authentication factors”. Let’s run through the most prominent types.

Knowledge factors

This is the most widespread and familiar type of authentication factor, and involves the user providing information only they should know. For example, inputting a password or PIN number, answering a secret question, or drawing a specific pattern on the screen.

The problem with having a knowledge factor as the sole identity verification method (also known as single factor authentication) is that it will make the user vulnerable to third parties who might somehow obtain the piece of knowledge in question.

A third party might be a professional fraudster or cyber criminal who’s discovered a user’s password by way of a system hack or phishing scam. Or they may even be someone the cardholder knows personally, and therefore able to make an educated guess regarding a password or PIN number.

Inherence factors

This authentication factor category focuses on biometrics which by their nature are inherently unique to the user. Think fingerprint scanning or facial recognition software.

The use of inherence factors has become commonplace in recent times, thanks to smartphones and other devices fitted with biometric technology which can swiftly scan and verify users. 

Possession factors

As the name suggests, this is a category of authentication factor which requires the user to possess a physical item such as a debit or credit card, fob or smartphone. 

For example, a verification system for an online account might send the user’s phone a one-time passcode (OTP) via SMS as part of the login process. Or, it might trigger a push notification on their device, asking them to approve the attempt to access the account.

The inclusion of a possession factor makes it considerably tougher for a third party to gain unauthorised access. After all, while a criminal may be able to steal knowledge factors like passwords and PIN numbers remotely, physical items will always remain out of reach to online fraudsters.

This isn’t to say that the use of possession factors will make users absolutely invulnerable to cyber criminals. Determined hackers can engage in more sophisticated strategies like SIM hacking or SIM jacking, where they use stolen personal details to bypass phone network security procedures, take control of users’ phone numbers and have 2FA SMS messages sent to them.

But even with that caveat in mind, the use of possession factors in two factor authentication systems will go a long way to minimising unauthorised entry to online accounts, as well as card not present fraud.

How does two factor authentication work?

While the exact two factor authentication process can vary between payment systems, there’s a general pattern to expect every time. Let’s break it down with a typical example of a user signing into an online account.

Let’s say you’ve been looking into how to use social media for small business customer engagement, and decide to subscribe to a digital platform for managing your online profiles. Here’s how you might undergo 2FA when signing into your account.

1. You navigate to the sign-in page for the social media management platform.

2. You’re prompted to enter your username and password.

3. The site initiates the verification of the second factor, in this case by texting a one-time passcode (OTP) to your phone. 

4. You input the OTP as instructed by the site..

5. If the OTP is correct, you’re considered to have passed two factor authentication and granted access to their account.

Should 2FA always be enabled?

Websites, platforms and apps will often allow you to select whether or not you’d like to have two factor authentication enabled. This decision should be based on an objective assessment of how vulnerable your business set up might be to third parties.

Say, for example, you’re a sole trader interested in how to make money from home. You’ll be the only person accessing your online accounts through a password-protected broadband connection at home, and you consider yourself savvy when it comes to fraudster strategies such as phishing. 

In this context, you might decide it’s safe to switch off 2FA so that you can enjoy completely frictionless access to your accounts. 

An alternative example would be if you were running a larger enterprise. Say, a bustling food and drink business where multiple members of staff have to access cloud-based software tools, and you’re also liable to log into various business-related accounts while out and about using public WiFi connections.

In this business context, it would make sense to enable 2FA across all digital accounts as part of your overall small business risk management strategy. This way you can be far more confident that, even if hackers were to get their hands on the various login details for your business accounts, only authorised team members will actually be able to gain access.

Why is two factor authentication important?

We’ve talked about how 2FA adds an extra layer of security to the login process, but it’s worth emphasising some of the reasons why this is so important.

Security breaches are a real and serious issue

If you’re still in the early stages of becoming your own boss, or perhaps only interested in low cost business ideas of modest size and scope, it may be tempting to assume you’ll fly under the radar of cyber criminals. 

With your to-do list likely to be packed with more immediate tasks like working out how to price products and services, and how to advertise your business, security considerations may fall by the wayside.

But the unfortunate fact is that, as practically all aspects of our day-to-day lives become increasingly digitised, so too are online “threat actors” like fraudsters becoming more active and undiscriminating in who they target. 

According to research compiled by the Home Office, more than half of businesses surveyed in the 12-month period leading up to winter 2023/2024 reported having experienced “some form of cyber security breach or attack”.  

While most attacks targeted medium and large businesses, no category of enterprise went unscathed, with most attacks taking the form of phishing emails and text messages seeking to obtain sensitive information.

This kind of criminal activity can impact operations management even if the threat actors don’t manage to get away with any vital information. And if there is a successful data breach, it can lead to worse consequences, potentially disrupting cash flow and jeopardising business growth strategies.

Given that the Home Office report also highlighted the fact that only 39% of surveyed businesses had enabled “any two factor authentication for networks/applications”, it’s clear that 2FA is still being underutilised, even as the risk of attacks increase. 

Passwords are vulnerable

Passwords remain the most ubiquitous online identification method, yet they are highly vulnerable to clever and determined threat actors. 

A recent Forbes survey starkly illustrated just how vulnerable, with 46% of respondents reporting they had a password stolen in the previous year. 

Many also admitted to poor password safety practices, such as using weak and “guessable” passwords, deploying the same passwords across multiple accounts, and only changing their passwords when prompted to do so, rather than more regularly to lower the chances of data breaches.

Although online password managers are increasingly being used to automatically generate long and hard-to-crack passwords, solely relying on a password as a single verification method still needlessly increases the risk of an account being compromised.

2FA is practical and convenient

Security measures always have to strike a balance between effectiveness and convenience. It’s no good implementing a foolproof protocol which involves multiple verification processes if it’s impractical to use on a regular basis. 

One reason why two factor authentication is such an important tool is that it significantly boosts security without hampering user experience in any significant way. While there is some slight friction involved, whether you’re called upon to input a code or tap a push notification, it’s a very small amount of effort in return for considerable peace of mind that your account is being kept as impregnable as practically possible.

How does two factor authentication work with payments?

Remote online payments, also known as card not present transactions, are safeguarded by a protocol based on two factor authentication. Known as 3D Secure, it requires cardholders making online purchases to prove their identity when inputting their card details. 

Say for example you’ve brought a small business idea to life in the form of an online store. In the interest of security, some of your customers will be prompted to input an OTP, or pass biometric verification when completing their purchases. This precaution helps prevent criminals from carrying out debit and credit card fraud using stolen account details.

The “3D” part of the name is a reference to the three domain servers involved in the protocol. Namely, the domain belonging to the cardholder’s issuing bank, the domain belonging to the merchant’s bank, and the domain provided by the card network which makes the whole process possible.

3D Secure is an inherently smart security protocol because its current iteration, known as 3D Secure 2, automatically assesses whether an online transaction requires the two factor authentication process to take place. It does this by instantly gathering key data points regarding the transaction, such as the buyer’s IP address, browser language and previous purchases.

If these data points all indicate that the genuine cardholder is making the transaction, they will very likely be allowed to continue right away, with no need for an OTP or other form of secondary verification. This makes the process seamless in the majority of cases, removing the risk of customers being irritated and abandoning carts midway through checkout.