Two-Factor Authentication (2FA)
2FA requires exactly two distinct authentication factors from different categories — typically a password (something you know) and a second factor like SMS, app-based codes, or hardware keys (something you have or are). It is a foundational step above single-factor authentication.
# WHAT TEAMS RUN INTO
- —
SMS-based 2FA is vulnerable to SIM swaps and interception. Phone numbers are portable and attackers can convince carriers to move them to SIM cards under attacker control.
- —
2FA enforcement is patchy across applications. Users authenticate to SSO with 2FA, but downstream applications don't re-verify the second factor, treating the initial 2FA as valid forever.
- —
2FA can be delayed. Some implementations allow users to access some features before 2FA completes, assuming they will authenticate later. Attackers use that window to do damage.
# WHY IT MATTERS
2FA is the minimum acceptable authentication standard. Single-factor authentication is broken — passwords are guessed, phished, and reused. Adding a second factor stops the majority of account takeovers because it forces attackers to compromise two different attack surfaces instead of one. But the strength of 2FA depends on the strength of both factors and on consistent enforcement everywhere access is granted.