We use cookies in order to save your preferences so we can provide a feature-rich, personalized website experience. We also use functionality from third-party vendors who may add additional cookies of their own (e.g. Analytics, Maps, Chat, etc). Read more about cookies in our Privacy Policy and Terms of Service. If you do not accept our use of Cookies, please do not use the website.

Header Image

2FA: Factor Security Into Your Login Page

November 05 2017
November 05 2017

Two-factor authentication (2FA), more correctly described as multi-factor authentication (MFA), is a technique to increase login security on websites. The word “factor” refers to the secondary code-generating device that one uses with this setup.

The primary benefit is that it mitigates or prevents the compromise even if an attacker cracks a user’s password.

Flavors of 2FA

There are two dominant flavors of two-factor authentication in wide use:

  • SMS-based one-time codes: Most sites that support 2FA initially send a code to your mobile phone. (By the way, this is not considered secure. At most, it’s OK to verify a phone number for establishing 2FA, but further code generation should be done with a dedicated app or device.)

  • Device-generated codes: I’m grouping hardware-generated codes (key generators, such as those provided by banks) and smartphone apps that serve much the same purpose. These use a shared secret as the basis for generating 2FA codes. The most well-known application for this is Google Authenticator, though others also exist.

A third approach in some countries is the use of digital certificates. This effectively works the same way, though it is somewhat difficult for most users to get set up.

Can 2FA Be Bypassed or Cracked?

Attacks to compromise two-factor authentication do exist. For example, if a person can convince a telecommunications operator to issue a new SIM card at their address or activate one that they already have, they can take control of the number to which 2FA codes are sent. If they have also compromised the user’s password (or convinced the company to reset the password), then they can log into services and perform malicious actions.

This risk doesn’t exist with app-based code generation.

There is obviously always the risk of a device being stolen. Device encryption and requiring authentication to unlock a device help mitigate even this, or they at least allow time to change the 2FA secrets associated with the connected accounts.

That said, account login that requires two factors is always more secure, since an attacker needs two pieces of information rather than one.

What If A User Loses Their Device?

Websites typically offer one-time backup codes for two-factor authentication. These can be stored separately and used if a user needs to turn it off because of losing the authenticating device. These obviously have to be stored securely.

How Do I Use 2FA On My Site?


For Drupal, use the TFA module. It comes with documentation on how to set it up. You can see it in action by going to My Account -> Security on; there, you can set up 2FA for your account!


More code is involved with Node.js, but this blog post gives an idea of what is involved.


You can set up simple two-factor authentication in Meteor with the dburies:two-factor package.

Other languages

Most other languages have a library to help you set up two-factor authentication. The underlying algorithm that code generators support is called TOTP (Time-Based One-Time Password), so you can also look for libraries implementing that.


Two-factor authentication is a great way to increase security for your users and, in general, decrease your liability. It is typically straightforward to implement, especially in Drupal. As long as you avoid sending 2FA codes over SMS and ensure that your support team follows secure processes that resist social engineering, you will be increasing the security of your users.


Leave a Comment

Email Help Tip
Characters Remaining: 5000