What is the difference between two-factor & multi-factor authentication?
What is a factor?
Factors are pieces of information or credentials.
When you login to an account by using only a password, that is single-factor authentication. You’ve submitted one piece of information.
There are three common types of factors, as listed by TechTarget:
Knowledge: something you know, such as a user name and password.
Possession: something you have, such as a smart card or a security token.
Inherence: something you are, an inherent biometric characteristic such as a fingerprint, voice or iris pattern.
Time and location are also factors that may be used. But these may be enforced behind-the-scenes without you becoming aware.
Two-factor authentication (2FA) is where two credentials are used to sign in. A common combination is (1) entering your user name & password and then (2) entering a code that was sent to you via text message. Another is using a password and a secure USB key.
In either case, you’re using two forms, hence two-factor.
Multi-factor authentication (MFA) is the term where a combination of two or more credentials are used to sign in to a service. You may have set-up a password, authenticator app, secure USB key, fingerprint, face-scan, etc.
A common example is:
- User name & password (knowledge) +
- Phone with facial recognition authentication to unlock (inherence) +
- Authenticator app (possession)
Multi-factor is a term often used by dedicated security apps and services (e.g. Duo), where two-factor is a term more often used by account services (e.g. Google).
What is happening in practice
Two-factor and multi-factor are terms that are often used interchangeably despite their slight differences. As account security standards becomes more sophisticated, multi-factor is becoming the preferred term.
End of passwords?
And as implied by multi-factor, some services are moving away from passwords altogether. E.g. signing-in using a combination of facial recognition + authenticator app; or Fingerprint + secure USB key. There has been a low-key trend away from passwords but Google and Microsoft have recently upped their efforts to improve “alternative” factor security.