What is two-factor authentication?

Your security administrator has told you that he’s implementing a new security policy that includes two-factor authentication. What is two-factor authentication?

A) Your authentication must contain two pieces of information.

B) Your password must contain at least two types of characters, such as upper-case characters, lower-case characters, numbers, and non-alphanumeric characters.

C) Before you can access a resource, you must login correctly twice in a row.

D) Your password is encrypted twice before it is stored on an authentication server.

Answer: A) Your authentication must contain two pieces of information.

Your username is an unprotected piece of information, and it’s not uncommon to share your username with other people for identification purposes, connectivity to network shares, or through conversations with other 3rd parties. The most common method of securing the username associated with your account is through a password. This is often described as “something you know.”

Although passwords provide a useful security function, their downside is that they are easily shared or stolen. If someone else has your password, they can now access your account and there’s no way to tell that they’re not the true owner of the account.

In environments where additional security is required, two-factor authentication is used. Two-factor (or multi-factor) authentication provides an additional layer of security, usually along with a username and password. This can often be accomplished through card readers, biometric scanners, or random key generators, and it’s usually described as “something you have.”

For example, you can buy an inexpensive pseudo-random number generator from PayPal that is synchronized to your online PayPal account. The number of the device changes every 30 seconds, so it’s impossible for anyone to guess the next set of numbers in the sequence. When you login to PayPal with your username and password, it also requests the number that’s currently on your key generator. Since you’re the only one with the key generator, you’re the only one who can login.

The incorrect answers:
B) Your password must contain at least two types of characters, such as upper-case characters, lower-case characters, numbers, and non-alphanumeric characters.
In operating system terms, these are called strong passwords or complex passwords. Although it’s a useful mechanism for improving the quality of passwords, it’s not two-factor authentication.

C) Before you can access a resource, you must login correctly twice in a row.
This doesn’t sound very practical, does it? There are no practical operating systems that require two successful logins to provide access to a resource.

D) Your password is encrypted twice before it is stored on an authentication server.
Although encrypting information twice is a useful cryptographic technique, it’s not associated with two-factor authentication (and not usually applicable to password storage, for that matter).

Want to learn more? Watch “Security Fundamentals”


Data security is the responsibility of everyone in the organization. In this module, we’ll examine some of the basic fundamentals of security such as authentication technologies, file system security, and social engineering.