What is Two-Factor Authentication (2FA)?

Back to Glossary

Two-factor authentication (2FA) refers to any access/sign-in activity that requires more than one authentication method to log into an online account. It is an added layer of security used by many cryptocurrency exchanges mandating that you provide an additional authentication method such as a security key sent to your mobile device after inputting your password.

Also sometimes referred to as multi-factor authentication, added authentication methods could be something you know, such as secret questions, something you own such as a registered physical device, or something you are such as biometric authentication. All these will constitute second authentication factors and add an extra level of security. 

The most common two-factor authentication is the password & security token combination. You are automatically prompted for a six-digit one-time code after scaling through the password security phase, which serves as the primary authentication method. The one-time passcode serves as an added layer of protection against false authentication attempts from malicious hackers, and the codes for authentication can be delivered via SMS/phone calls to your mobile phone or displayed in an authenticator app.

Biometric authentication is still the most secure secondary authentication method. There are three common authentication options – fingerprint scan, facial scan, and iris scan – the first being the most popular option and easy to set up, given that many mobile devices have an in-built fingerprint reader. 

Two-Step Verification vs. Two-Factor Authentication

Although both user authentication terms are commonly used interchangeably, there is a difference in the two security measures in theory. 

Two-step verification is the common security measure we are used to today – a simple password and username, followed by a one-time code delivered via e-mail, phone call, or text message.

2FA, however, is a factor of authentication to be considered with which access to an online account is denied if not provided. These factors of authentication could be a possession factor (security PIN via an authenticator app), a location factor (i.e., access is only granted from select locations), a time factor(i.e., access is only granted at a particular time), a knowledge factor (secret questions) or a biometric factor( facial, voice, speech pattern recognition).