Two-Factor Authentication

A security control requiring users to provide two different types of credentials to verify their identity before accessing accounts or systems, significantly reducing unauthorized access risks. The two factors typically come from different categories: something you know (password, PIN), something you have (phone, security key, authentication app), or something you are (fingerprint, facial recognition). Common implementations include: SMS codes sent to registered phones, authentication apps generating time-based codes, hardware security keys, biometric scans, and backup codes for account recovery. From a privacy perspective, two-factor authentication serves dual purposes: protecting personal data from unauthorized access (satisfying security obligations) and potentially processing biometric data (requiring careful compliance consideration). Organizations implementing 2FA should: offer multiple authentication method options respecting user preferences, provide clear setup instructions and recovery mechanisms, implement secure storage for authentication credentials, disclose 2FA processing in privacy policies, and consider GDPR implications if using biometric factors. While not universally required, 2FA represents industry best practice for protecting sensitive accounts.