Two Factor Authentication (2FA)

Learn about different types of two factor authentication and the pros and cons of each.


What is Two Factor Authentication?

Two Factor Authentication (2FA or TFA) is the technical term for the process of requiring a user to verify their identity in two unique ways before they are granted access to the system. Traditionally, users have relied on and are accustomed to authentication systems that require them to provide a unique identifier such as an email address, username or phone number and a correct password or pin to gain access to the system.

2FA extends this paradigm by adding an additional step to the authentication process, most commonly requiring the user to enter a one-time token that is dynamically generated and delivered through a method that only the user has access to. Another common method is to use the users biometric data such as fingerprints or retina as a second factor.

Increased Security & Peace of Mind

Two Factor Authentication is not new, in fact the technology was conceived way back in 1984. It is increasingly important in the modern world as more and more of our lives, both personal and business, move to digital mediums and the threats of hacking, theft and loss of access can have dire consequences.

For years, companies have tried to enhance the security of user authentication by requiring ever increasing requirements like length of password, special character requirements, requiring the user to change their password frequently, sophisticated hashing and salting algorithms that conceal the actual password and much more. At the end of the day, a password only system is still vulnerable as users tend to use the same password across multiple systems, phishing and social engineering techniques that get the user to unknowingly reveal their password are all too common and many other scenarios can lead to a password being compromised.

Two Factor Authentication gives the user and system administrator a peace of mind as it ensures that even if the users password is compromised the account cannot be accessed without also knowing not only the method used as the second factor but also having access to the second factor such as a dynamically generated one-time password (OTP) or biological token.

Something you Know, Have and Are

Two factor authentication is based on the user providing two of the following three “somethings”:

  • Something you Know – the password or pin for an account
  • Something you Have – a physical device such as a mobile phone or a software application that can generate one-time passwords
  • Something you Are – a biologically unique feature to you such as your fingerprints, voice or retinas

Learning the password or pin for an account is what most hackers go after. Accessing a physical token generator or getting biological features is harder and the reason why 2FA is effective in providing greater security for user accounts.

Types of Two Factor Authentication

There are numerous ways to implement 2FA. They all have their pros and cons, but all significantly increase the security of user accounts when implemented. The key takeaway from all of the methods discussed below is that once the user has verified their username and password, they are required to enter a second password that is dynamically generated and constantly changing before they can access the system.

Companies often implement additional rules for when and how 2FA is used. The user may not need to use 2FA if they are within the company intranet or on a device they previously used 2FA to login. In other cases, the user may need to use 2FA every single time they authenticate. Auth0 supports these and other custom implementation rules to meet business needs.

SMS Token

Perhaps the most common method of implementing 2FA. This method sends the user a unique token via SMS text message, normally a 5-10 digit code, after they have successfully entered their username and password. The user then needs to provide this unique token before they are granted access.


  • User friendly – most users are comfortable receiving text messages
  • Availability – majority of phones have SMS capabilities
  • Cost – inexpensive to setup and maintain


  • Connectivity – cell signal and reception required to receive token
  • Security – SMS messages can be intercepted by 3rd parties
  • Hardware – physical device required so if phone is lost or stolen the user cannot authenticate

Email Token

Another fairly common method of two factor authentication. This method is very similar to the SMS method above but common implementations include having the user enter a 5-10 alpha-numeric token or clicking a link provided in the email. Dynamically generated one-time passwords are also used here.


  • User friendly – users can receive emails to both computers and mobile devices
  • Cost – inexpensive to setup and maintain
  • Options – can give the user additional options to verify token such as clicking a link


  • Delivery – email can fail to be delivered in many ways including: email goes to spam, bounced by server, delivery queue backed up causing a delay in delivery, etc.
  • Security – emails can be intercepted by 3rd parties and tokens compromised
  • Redundancy – if 3rd party gains access to users credentials it’s possible they could access email as well and thus easily get the token

Hardware Token

This method is common in enterprise environments but can be used in any system. The way this method works is the user is given a physical device such a key fob, USB dongle or other device that dynamically generates a token for the user. These tokens are generally valid for only short periods of time, some as low as 30 seconds, and constantly change.


  • Standalone – doesn’t require reception, online connectivity or other factors to generate tokens
  • Reliable – hardware tokens are specifically built to only generate tokens
  • Secure – as these devices only perform one task, the possible vectors of exploitation are greatly reduced


  • Cost – expensive to setup and maintain
  • Hardware – devices can be easily misplaced, forgotten and lost
  • Too Many Devices – having a hardware device for multiple services may make the user not want to use 2FA

Software Token

Software tokens require the user to download and install an application that runs on their computer or mobile device that dynamically generates tokens for the user. With the rise of smartphones – this method is gaining popularity. Software tokens work similarly to hardware tokens in that they are randomly generated and last a brief period of time before changing but developers can choose a number of different implementations to meet the business needs.


  • User friendly – apps generally have simple interfaces that just display the token to the user
  • Updates – easy to update software and apply patches when needed
  • Extensibility – ability to add enhanced features such as requiring a pin to access the app or using a single app for multiple accounts


  • Cost – expensive to implement and maintain
  • Additional Software – requires user to download and install additional software to their devices
  • Security – application used to generate token can be compromised without user knowledge

Phone Call

This method of 2FA calls the user once they have authenticated their username and password and provides them with the token. This is perhaps the most inconvenient method for the end-user but is a viable and common method of delivering dynamic tokens to the user.


  • User friendly – as simple as receiving a phone call
  • Cost – inexpensive to setup and implement
  • Reliability – generally voice/SMS reception requires less bandwidth than data so may be a good alternative to software or email based verification where a data connection is required


  • Security – calls can be intercepted, forwarded or voicemails hacked
  • Connectivity – cell signal and reception is required
  • Hardware – requires physical device to receive token

Biometric Verification

This method of 2FA is unique and different from the others we mentioned so far. Biometric verification relies on the actual user being the token. A unique feature such as the users fingerprints or retina is used to verify that the user is who they say they are.


  • The user becomes the token – just be yourself!
  • Options – many different options for token including fingerprints, retina, voice and facial recognition
  • User friendly – minimal knowledge of how systems work required by end user


  • Privacy – storage of biometric data raises privacy concerns
  • Security – fingerprints and other biometric data can be compromised and cannot be changed
  • Additional hardware – requires special devices to verify biometric data – cameras, scanners, etc.

Implementing Two Factor Authentication with Auth0

Implementing 2FA with Auth0 is easy and simple. You can implement 2FA with our Guardian app or with third-party 2FA providers. Out-of-the-box we provide two popular 2FA providers, Google Authenticator and Duo, which can be setup with minimal effort in just a few minutes.

Additionally, you can implement custom providers and rules to enhance and fine-tune the workflow for 2FA to meet the needs of your business. Let’s see how this process works with Guardian.


Two Factor Authentication with Auth0 and Guardian

Implementing 2FA with Auth0 and Guardian can be done in as little as two steps.

  1. In the Auth0 management dashboard, navigate to the Multifactor Auth section.
  2. Enable how you would like your users to receive their 2FA codes. You can choose push notifications, SMS, or both.Enable Multifactor Authentication with Guardian
  3. (Optional) Configure which of your Auth0 Applications 2FA should be enabled for and make any additional configuration changes as needed.Guardian Rules Configuration

Save your changes and 2FA with Guardian will be enabled for your app! The next time a user attempts to login they will be prompted to setup 2FA before gaining access to your app.

Guardian App

Adaptive Context-aware Multifactor

Adaptative Context-aware Multifactor allows you to enforce 2FA or additional layers of authentication based on different conditions such as: geographic location, time of day/week, type of network, custom domains, certain IPs or any arbitrary condition that can be expressed in code on the Auth0 platform.

By default, 2FA is only requested when the overall assessed confidence is low. However, you can enforce it to be requested every time a user logs on or define your logic within actions to trigger 2FA.

You can define rules such as when accessing mission-critical applications from outside of your company’s intranet, when accessing from a different device or from a new location.

Sign up for free

Start building today and secure your apps with the Auth0 identity platform today.

3D login box