In recent years, the requirement for entering passwords has dramatically increased. Whether using a smartphone, computer, or cloud service, logging in with a username and password has become essential for identity verification. However, as the number of passwords people need to remember grows, many resort to using the same password across multiple services in order to avoid forgetting them. If one of these services is hacked or affected by a security incident, resulting in a password leak, other accounts using the same password may also be compromised.
Today, using a user account with a static password—even advanced one-time passwords (OTP) for dynamic authentication—has become the norm. However, as hacking methods evolve (such as using automated tools for credential stuffing attacks) and threats like phishing lead to information leaks, there's an increased need for a higher level of login security beyond just passwords. In this article, we will explain the benefits and examples of two-factor authentication (2FA) and how this method can help reduce security risks.
The commonly recognized types of authentication "factors" are divided into three categories:
With advances in technology, two additional authentication factors are now included:
A system that combines "two" factors from these five types of authentication factors is called "Two-Factor Authentication" (2FA). In recent years, more and more businesses and government agencies are reviewing their internal information systems and online service login methods to improve information security protection levels. Among the methods being prioritized for implementation is Two-Factor Authentication (also referred to as dual authentication, two-factor verification, etc.).
However, "Two-Step Verification" (2SV) is a mechanism that uses one authentication factor in two separate verification steps, making it generally less secure than Two-Factor Authentication (2FA). For example, when enabling a service, the user first enters their email address and password (knowledge factor), then the system asks the user to answer a pre-set security question (knowledge factor), such as "What is the name of your first pet?" In this case, even though there are two verification steps, both steps are based on knowledge factors, so this authentication method is not Two-Factor Authentication, but Two-Step Verification.
Multi-Factor Authentication (also referred to as Multi-Verification, Multi-Element Authentication, or Multi-Factor Verification) is a method of authentication that uses multiple factors for identity verification. This means that Two-Factor Authentication (2FA) is a part of Multi-Factor Authentication. Companies with stronger information system security measures (such as healthcare facilities, government agencies, or financial services) tend to choose Multi-Factor Authentication mechanisms.
Why is it necessary to implement Two-Factor Authentication? Obviously, one of the main reasons is to strengthen information security measures.
In fact, the primary reason for the continued rise in cybersecurity threats is because the effort for hackers to launch attacks are relatively low, yet they often result in significant financial losses for businesses or government agencies. As a result, it is common to see news reports almost daily about accounts or personal data being stolen or misused, leading to numerous cybersecurity incidents and issues.
As can be seen, traditional static and dynamic passwords are not sufficient enough to handle the frequency of hacker attacks. Therefore, in recent years, there has been a widespread promotion of zero-trust network security strategies and password-less login technologies.
Responding to this situation, Taiwan's Digital Development Ministry's Information Security Department took the lead in August 2022 by announcing funding and implementing strategies based on the National Cybersecurity Development Plan to promote the transition to a zero-trust model. The priority is to gradually introduce password-less and Two-Factor Authentication (2FA) systems, primarily based on biometric recognition, to Class A government agencies (such as the Presidential Office, National Security Council, Legislative Yuan, Judicial Yuan, etc.).
For example, in the case of signing official documents, personnel in Class A government agencies must use biometric authentication and authorized devices at any location where they issue documents. They must also ensure the process occurs in a secure network environment. Every system and data access point must be followed by account-password verification, device authentication, and secure network connection verification.
Additionally, Taiwan’s Financial Supervisory Commission (FSC) has tasked the Taiwan Stock Exchange with overseeing securities firms to strengthen their online trading practices by requiring Two-Factor Authentication (such as order credentials, device binding, one-time passwords, facial or fingerprint recognition, and other biometric methods). Furthermore, in October 2023, the FSC published the "Guidelines for Digital Identity Verification in the Financial Services Industry," emphasizing that financial institutions can implement Two-Factor Authentication to enhance customer asset security while promoting financial innovation services. By strengthening identity verification, it can effectively prevent scammers from impersonating others and reduce the risk of financial theft. It also improves the security of the financial system, ensuring that users can enjoy more reliable protective measures when using innovative financial services.
The government's focus on cybersecurity highlights that information security is now one of the most urgent issues that needs to be addressed.
With the increasing complexity of online threats and phishing attacks, single-factor authentication methods can no longer meet the security demands of modern digital environments. As a result, the use of Two-Factor Authentication is steadily increasing. The globally recognized IT research and consulting firm Gartner predicts that by 2025, more than 50% of employee authentication and over 20% of customer authentication scenarios worldwide will adopt password-less authentication methods. These methods include, but are not limited to, biometric recognition, physical security keys, and authentication apps.
Common examples of Two-Factor Authentication include the following:
The purpose of these authentication designs is to ensure that if one factor is compromised, the other factor can still provide protection. By combining different factors, the threshold for identity verification can be increased, preventing unauthorized use by malicious third parties and avoiding potential losses. For example, in the first scenario, even if an attacker obtains the user's username and password, they would still need to access the user's phone to obtain the one-time password, greatly enhancing security.
Additionally, to further explain the new trends in password-less Two-Factor Authentication applications, here are some examples:
With the advancements in technology and higher information security demands from businesses, the scope and complexity of authentication methods are expanding. In the future, businesses may adopt more advanced authentication methods that combine biometric recognition and behavioral analysis to further strengthen digital information security.
Currently, biometric recognition (biometric factor) is rapidly being adopted in Two-Factor Authentication solutions due to its convenience, difficulty to impersonate, and a few other reasons. Among biometric recognition methods, facial recognition has become one of the key choices for businesses as a verification method because of its "contactless nature" and "maturity of development."
Facial recognition is a biometric authentication system that uses a camera to detect facial images to verify a person's identity.
Some advantages of facial recognition include:
First, the advantage of using facial recognition is that there is almost no risk of forgetting, damaging, or losing it. As mentioned earlier, relying on knowledge factors, such as passwords and answers to personalized security questions, always carries the risk of forgetting them.
On the other hand, possession factors, such as IC cards, ID badges, and physical keys, carry the risk of damage or loss. Furthermore, even if the owner is careful not to lose the object, it could still be maliciously stolen or forged by a third party.
Facial recognition, in this regard, can confidently be said to have almost zero risk of being forgotten or lost, unless the user suffers serious injury or chooses to undergo cosmetic surgery.
For example, in computer device login authentication, adding facial recognition (biometric factor) on top of traditional username and password (knowledge factor) makes it relatively easy to implement Two-Factor Authentication. Most laptops today are already equipped with cameras, so there is no need to purchase additional hardware. For those who understand the importance of information security measures but are unwilling to incur extra hardware costs, this is a convenient and easily achievable method.
Even when both hands are occupied, facial recognition can still function properly as long as the face is detected. Therefore, even in situations where your hands are not free like carrying luggage, it is possible to smoothly verify the person's identity. Furthermore, advanced facial recognition systems today can accurately identify individuals even when they are wearing masks or protective gear, eliminating the need to remove them for identity verification.
Each authentication method has the potential to be attacked or cracked, but the difficulty of deception and hacking varies. Since facial recognition technology has been around for a longer time, it has naturally developed more mature and reliable anti-spoofing techniques, significantly reducing the risk of attacks and fraud success. For more detailed information, you can refer to the article Can Facial Recognition Anti-Spoofing Technology Be Easily Breached?
For these reasons, when evaluating the adoption of Two-Factor Authentication, many companies and organizations choose to use facial recognition as one of the verification factors.
In the rapidly changing digital environment, Two-Factor Authentication (2FA) has become a key mechanism for securing both corporate and personal information. This article introduced the basic concepts of Two-Factor Authentication, the differences between Two-Factor Authentication and Two-Step Verification, and its specific applications in enhancing security. With the advancement of technology, new authentication factors such as behavioral and contextual factors have been introduced, further strengthening the reliability of remote identity verification. As a representative of biometric factors, facial recognition, due to its convenience and high security, will play an important role in future Two-Factor Authentication, providing users with more reliable protection.
Contact
