The general concept of two factor authentication in general is that by using a piece of information besides a password or card number, it would be hard to misuse the associated account even if the password/card is stolen.

Two factor authentication means that, in order to access a website, you need your password and a key texted to your phone(or a device that generates a one time password). The idea is, someone can steal your password pretty easily, but it’s harder for them to steal your password and your phone, so if you can prove a user has both of those things, it’s likely that they’re legitimate.

Not every website has a system set up to do this, so that’s why it doesn’t work everywhere.

The basics of 2FA is that it wants something you have and something you know. So, something you have can be a device which can receive a code. Something you know can be a password. It’s an extra layer of security to ensure that someone accessing an account is who they say they are

A “factor” is a different channel for authentication. The more factors you have the harder it is to be compromised because all of your factors must be compromised.

The three main factors are “what you know” “What you have” and “what you are” (biometrics, like a fingerprint)

A password is “what you know.” It’s something you know.

Biometrics is problematic for most 2FA applications because they’d need to have your biometrics ahead of time and it works best when the device scanning the biometrics can be monitored to ensure there’s no tampering or falsification going on because once your biometrics are compromised… that’s it. You can’t change your fingerprint. So you have to ensure the scanner is not compromised.

So that mostly leaves “what you have” as a 2nd factor to use. These days it’s mostly either an app on your phone that you configure with a one-time token or they send you a temporary code via text or e-mail. Depending on the service doing the 2FA you can also get a physical token with a constantly changing code or a physical card that must be inserted into the computer’s reader.

No token, no access. No password no access. Both the password *and* the token must be compromised to gain access.

It doesn’t work for all online purchases because you have to set up 2FA ahead of time. It doesn’t really offer any protection to set up 2FA moments before you use it because if your password is compromised then whoever compromised your password could just set up 2FA right then and how does that offer any protection?

Also it costs money to set up and maintain 2FA and the storefront might not find it worth the cost to offer it.

The first factor of authentication will be something you know, such as a password or Pin or similar. The site can validate the hash (an encoded form of a password) with the hash in their database.

The second factor is a special key that is given to you. This can be sent by SMS, or shared with you when you set up 2FA and uses algorithms to change with time.

Other factors can also be used such as location, face recognition, fingerprint, a phone call with personal info quiz, etc.

The idea is that you can keep something secure better if you have “something you know” (ie. Password) and “something you have (ie. A phone with a linked code). That way if some somehow gets access to 1 thing (likely your password) they wont be able to get into your account cuz they lack the other thing. Credit card with chips and pin codes are similar.

However it is “annoying” to do that so like any security measure it”s a balance of how much stuff they want to make you do to confirm it is really you accessing or not. They could have 3 or 4 or whatever step authentication if they really wanted.

All excellent answers here, but let’s generalize: All authentication systems have problems with them. Two Factor Authentication simply requires you use 2 different forms of authentication to prove you are you, which means the problems with any 1 authentication system are reduced.

Let’s analyze the most common systems: 1) Password 2) Text To Phone

You know your password, company knows your password, you type it, they confirm your password is right. Great. But what happens if a thief is spying on your web browser? You type your password and whoever is spying can just steal your password and keep using it. Or, a thief can guess your password and then keep using it. Or a thief can break into their server and steal the passwords from there (most passwords are no longer actually stored on their servers: They only store a value derived from your password. But let’s ignore that for now.)

The other system is you know your phone number, company knows your phone number, they send you a secret one time number to your phone. You tell them the number back. That proves you have a phone with that phone number. Great. But what if a thief steals your phone or your phone number? Now, they can just ask for the one time number and always get it.

But, put these two system together and require both: a Password + Text To Phone. Now, if a bad guy is listening, he will hear you send your Password and the one time number. He knows your password, but he doesn’t know the *next* one time number, which will be different. Thief can’t login as you from their computer. Similarly, if a different bad guy steals your phone, they can request the one time number and get it, but he doesn’t know your password.

To login as you, they have to steal your password **and** your phone, which is much harder to do.

Why don’t all companies do this? It’s more expensive and it takes people more time to authenticate themselves. This means a store may lose a sale when customers get upset and annoyed it takes longer to authenticate themselves. The extra security is not worth it.

It means that you need to be verified or validated by more ways (aka factors) than one. And not in a way that is based on your ability to complete an action (e.g., captcha. Those are akin to asking someone to solve a 2nd grade math problem to prove they’re a 2nd grader).

Let’s say you have a treehouse with a rope ladder and a door with a lock. You and I have:
– previously agreed upon a spoken password

– broken a medallion in two such that only those two pieces fit together, and one piece is carried by each

– buried a key to the door at a random spot that only we both know.

To enter the treehouse, first you need to tell the one in the treehouse the spoken password for the rope ladder to get thrown down. Then as you get to the top of the ladder where the locked door is, you need to either match your medallion piece with mine (through an access hole) and I open the door, or unlock the door with the key that you’ve dug up. The medallion or the key is the second factor here.

If there’s something unique about you that I can look at to confirm that it is you, then I wouldn’t need to repeatedly ask for the second factor. For e.g., you have a specific mole or I put a unique temporary tattoo on you. I can just look at that and be satisfied that it is truly you who is using our spoken password.

A lot of secure websites are like that treehouse – you can only enter restricted sections with two factors. But once you’ve entered and I’ve marked you (like with a temp tattoo), if you and leave come back, I can be less paranoid about verifying you.

In all this, there is preliminary work to be done – you and I need to establish these factors to be used in the future. Another friend of yours may throw the rope ladder to their treehouse down if you just say the spoken password. This is similar to websites that just need a password for you to get in. Yet another friend of yours may have the rope ladder down at all times. This is similar to completely open websites that don’t need any password to get in and browse (e.g. Wikipedia).

Why does 2FA not work for all online purchase transactions? Either I’ve decided that I just need a spoken password for you to access my treehouse, or I’ve seen you in the treehouse in the recent past and you have the temp tattoo that I put on you.

When not for all purchases: you don’t update something that works.

1) it cost money and company like to not spend

2) that a critical business kind of business (well, they still don’t care about fraud and can cover it with all the money they make)

2) the number of products/software sthat use those network is really big and ALL of them would need to add it.

However, I’m still with you on that one. They could do a smooth transition like with the chip payment.

Not mandatory to use it, but usually using it increase the odd of a safe transaction.

Some are even using a CVV that change from time to time! I want that!

simplest way to think of it

Think of how a safe has a key. You need the key to get in the safe.

A thief could steal the key. Then THEY could get in the safe.

It would be a lot harder for a thief to get in the safe if there were 2 separate keys, stored in 2 separate places. It wouldn’t be impossible. It would just be harder.

Like stealing a key from your pocket then going all the way to your house and stealing the other key from your nightstand cause I need both keys, is harder than just stealing one right?

2FA is like that. Except instead of 2 keys in 2 places, its 2 keys in 2 contexts.

So like, a password and a key card. I’d have to guess your password AND get possession of the physical card.

Or a password and phone text app. I’d have to guess the password AND get physical possession of your phone.

some versions of 2fa are stronger than others, because some types of 2FA allow people to pair up. Basically keeping the keys together. That defeats the purpose.

Like, a phone text proves that you have the phone, but if the password is also stored on the phone, then you still only have to steal one thing.

(Or like an ATM card is two things. Something you have, the card. and something you know, the pin. BUT if you are dumb and write the pin ON the card, you’re turn 2FA back into 1FA.)