What Is 2FA?
2FA is a security method whereby users are required to verify their identities using two forms of identification. Such forms, including the password, fingerprint, SMS verification code, smart card, and biometric recognition, can be combined in different ways. This can improve the security and reliability of user accounts.
Why Is 2FA Required?
Since the emergence of the Internet and as computers and network technologies are rapidly developing, it has become more and more common for individual users to exchange information over computer networks. Recent years have seen the emergence of e-commerce, e-government, and mobile payment, which, while bringing greater convenience to people's lives, has led to the transmission of much sensitive and confidential information over the Internet, such as company contracts, business orders, payment accounts and passwords for mobile apps, as well as bank accounts and passwords. Receivers of the information are required to keep it strictly confidential and should not disclose it to any other third party. Securing the dissemination and use of the information is of critical importance.
In the Internet era, enterprises have many network devices to be protected, which they place much importance in. If a user obtains administrator permissions without authorization, they may intrude on enterprise network devices and perform unauthorized operations. As a result, sensitive information may be disclosed, or in some cases the entire network system may even break down.
Cybercrime is also on the rise in recent years, with increasingly complex attacks and larger economic losses. This compels users to take effective measures.
Therefore, it is necessary to authenticate users accessing applications, services, and network devices. 2FA is the most common and simple access control method for identity verification, capable of improving the security and reliability of user accounts.
What Are the Common Identification Forms?
- Knowledge factor: password, personal identification number (PIN), and security question answer.
- Possession factor: software token and hardware token.
- Software token: SMS verification code, email verification link, verification code, and QR code provided by the service provider (for example, WeChat QR codes that a user scans for authentication).
- Hardware token: dedicated devices — ID cards, driving licenses, passports, key cards, and hardware encryption locks — that function as security keys.
- Inherent factor: behavioral biometric features, such as fingerprints, voice, facial features, iris, retina patterns, handwritten signatures, behavioral biometrics such as keystroke dynamics or speech patterns.
- Location factor: specific location, device, and IP address range.
- Time factor: specific time range.
If two forms of identification, such as password + security question answer or ID card + SMS verification code, are of the same type, single-factor authentication (SFA), rather than 2FA, is applied.
In short, 2FA requires users to present two forms of identification.
What Are the Typical Applications of 2FA?
- Knowledge factor + Possession factor: Employees remotely log in to the office system through the VPN. Two forms of identification are involved: password and SMS verification code. When a user logs in to the system via an email address or social media account, two forms of identification are involved: password and CHAPTCHA.
- Knowledge factor + Inherent factor: The authentication process of payment systems used for gaming, shopping, and mobile apps involves two forms of identification: password and SMS verification code/QR code scanning.
- Knowledge factor + Location factor: When a user logs in to the system via an email address or social media account, two forms of identification are involved: password and specified IP address range.
- Knowledge factor + Time factor: The authentication process of the coupon redemption systems of mobile apps involves two forms of identification: password and specific time range.
- Possession factor + Inherent factor: The authentication process of the ticket checking system in railway stations and airports involves two forms of identification: valid certificate (such as ID card and passport) and facial recognition.
What Is the 2FA Process?
- A user logs in to an application.
- The user enters the login credential — usually the account and password — for initial authentication.
- After the authentication succeeds, the user is prompted to submit a second authentication factor.
- If the authentication passes, the user is granted the corresponding system operation permission.
What Are the Differences Between 2FA and MFA?
Item |
Differences |
|---|---|
Number of identification forms |
2FA ≤ MFA: 2FA requires two forms of identification, while MFA requires at least two forms of identification. |
Security |
2FA < MFA: Compared to 2FA, MFA may require more forms of identification, thereby improving user account security and reliability. |
Number of users |
2FA ≥ MFA. 2FA is generally used in daily work and life. MFA, which may require three or more different forms of identification, is generally used by personnel in special industries such as the scientific research sector and military industry. |
User experience |
2FA ≥ MFA: The adding of additional authentication factors is accompanied by one more authentication steps and longer waiting time during the operation, affecting user experience. |
Installation and maintenance costs |
2FA ≤ MFA: Adding an additional authentication factor will result in more complex network devices and software systems, as well as higher maintenance costs. |
Confidential information level |
2FA ≤ MFA: MFA, which may require three or more different forms of identification, protects confidential and top-secret information in fields such as scientific research and military affairs. |
By referring to the differences between 2FA and MFA and considering actual application scenarios and network conditions, you can select the most suitable user identity authentication. This can help ensure the security and operability of data and systems.
Common Authentication Modes on Huawei Firewalls
- Local authentication: User information is saved on a firewall. If a user accesses the portal authentication page and sends the user name and password to the firewall, the firewall implements authentication on the user.
- Server authentication: User information is not saved on a firewall. If a user accesses the portal authentication page and sends the user name and password to the firewall, the firewall forwards the user information to a third-party authentication server for identity authentication.
- Single sign-on (SSO): A user sends the user name and password to a third-party authentication server. After the user passes the authentication, the third-party authentication server sends the user's identity information to a firewall. The device only records the user's identity information, without participating in authentication.
- Firewall + RADIUS server networking scenario: The firewall forwards the user name, password, and verification code to the RADIUS server. The RADIUS server uses 2FA (user name, password, and verification code) to authenticate firewall users. The RADIUS server sends a dynamic code or SMS verification code to the user.
- Firewall + HWTACACS server networking scenario: The firewall forwards the user name, password, and verification code to the HWTACACS server, which uses 2FA (user name, password, and verification code) to authenticate firewall users. The HWTACACS server sends a dynamic code to the user.
For more information about products, see HUAWEI USG6000E User and Authentication Configuration Guide.
- Author: Zhang Lincui
- Updated on: 2023-07-26
- Views: 1434
- Average rating:
