Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors:
- Something the user knows (e.g., password, PIN);
- Something the user has (e.g., ATM card, smart card); and
- Something the user is (e.g., biometric characteristic, such as a fingerprint).
When a bank customer visits a local automated teller machine (ATM), one authentication factor is the physical ATM card the customer slides into the machine ("something the user has"). The second factor is the PIN the customer enters through the keypad ("something the user knows"). Without the corroborating verification of both of these factors, authentication does not succeed. This scenario illustrates the basic concept of most two-factor authentication systems: the combination of a knowledge factor ("something the user knows") and a possession factor ("something the user has").
Two-factor authentication is often refered as multi-factor authentication.
Two-factor authentication is sometimes confused with "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves "something the user has" or "something the user is", it would not be considered two-factor authentication.