Last updated on September 1, 2025
Nowadays users need a secure way to confirm their identity while logging in to access their data, and the problem of authentication ensures an important issue of protection against unauthorized access. The process of authentication determines whether the identity of the user is true, that is whether they are who they claim to be. However, passwords, despite their wide spread, are relatively easy to crack or guess, making them a faulty way to authenticate. Numerous statements and experiences with stealing or guessing passwords indicate that using just your login and password is not secure enough. Passwords are an example of Knowledge Factor, which verifies users based on what they know.
Problem
However, as mentioned before, passwords are easy to compromise, and therefore prove less than unbreakable. A way of solving the low security level of passwords is to introduce more factors to the authentication process. Multi-Factor Authentication (MFA) is exactly that – authenticating a user by using two or more factors to verify their identity. Consequently, Two-Factor Authentication (2FA) means that two factors were used.
Challenge
More secure authentication factors rely on what users have or who they are. Possession Factor is based on what you have – your phone or a token. For example, install a 2FA app on your phone and use the app to authenticate yourself. Rublon Authenticator offers a wide spectrum of authentication methods. Alternatively, you can use hardware tokens, which generate a sequence of numbers that changes either after every short period of time or after a passcode was used. Such tokens most often use the Time-based One-time Password (TOTP) Algorithm, but since tokens are hardware devices, they cost money. Rublon Authenticator offers full support for Mobile Passcode, so you do not have to buy a physical token. Password theft is quite common. Although theft is still possible in case of Possession Factor, it is much easier to prove such theft and the thief must have direct contact with the user to steal their device.
Solution
Inherence Factor relies on who you are. Inherence Factor verifies a user based on one of a set of attributes unique to every individual. Solutions around the world use various attributes, including face and voice recognition, but perhaps the most common is fingerprint recognition. Rublon Authenticator allows you to secure access to the app with a biometric lock that uses Touch ID on iOS and fingerprint sensors on Android devices. Moreover, Rublon fully supports WebAuthn Security Keys, for example, YubiKey by Yubico. Such keys use biometric technology while being physical devices, which means security keys are an amalgamation of the Inherence Factor and Possession Factor.
Rublon
Rublon supports all Factors of Authentication to deliver a modern solution to the authentication problem. Rublon Two-Factor Authentication consists of two steps. In the first step, a user is asked to enter their username and password. In the second step, Rublon uses a strong second authentication factor to verify the user’s identity, for example by sending a push notification to the user’s phone. Furthermore, Rublon facilitates the second factor authentication by making it user-friendly. A slick user interface and fast push notifications make authenticating a breeze. All you need to do is tap Approve and you’re in!
Humans are fallible – what you can do
Humans are the weakest link in cybersecurity, so 2FA has to protect them against making mistakes that could cost them their data and money. Even though the best 2FA solutions in the world, including Rublon, significantly minimize security risks, every security system is still prone to human error. That is why it is of utmost importance to inform your users about possible security threats and ways of fighting them. Just as much as we are committed to delivering cutting-edge security solutions to directly protect your users, we at Rublon are also determined to educate.
“When you educate one person you can change a life, when you educate many you can change the world”
Shai Reshef
Frequently Asked Questions
We have prepared answers to some of the most common questions asked about Multi-Factor Authentication in hope of improving the understanding of this field of cybersecurity. After all, your security is our concern.
What’s the difference between authentication and authorization?
Authentication looks for answers to the question of who the user is and whether they are who they claim to be. Authorization, on the other hand, is a process which determines what level of access should be granted to the user, that is what the user can and cannot do.
What are the Factors of Authentication?
The three basic Factors of Authentication are:
- Knowledge Factor – what the user knows, e.g. a password
- Possession Factor – what the user has, e.g. a phone, a security token
- Inherence Factor – who the user is, biometrics, e.g. a fingerprint
While Knowledge Factor is used in pretty much every login form in the world, the use of one of the two other factors requires the introduction of a 2FA system like Rublon. The first factor involves the user entering their username and password. The second stronger factor verifies the user’s identity, for example by sending a push notification to the user’s phone.
What are the risks that 2FA mitigates?
2FA mitigates risks associated with low password security, phishing attacks and keylogging.
Stolen or Broken Passwords
Let’s say your user wrote down their password on a piece of paper. Somebody read it and got to know their password. If your user has 2FA enabled on their account, then even if that somebody tries to log in using the user’s password, they cannot get access to their account. Another way of compromising your user’s password involves a wide range of different types of attacks. From simple brute-force attacks, which involve the attacker randomly trying every possible password combination until they get a match, to more advanced methods like using rainbow tables. Even if the attacker breaks the password, they will be stopped by the second factor. No matter which type of attack attackers use, 2FA ensures a valid wall of defense against compromised passwords.
Phishing Attacks
Phishing is a name for a set of fraudulent ways of trying to deceive the user into providing their sensitive information, for example their password. The most common way of phishing is sending an email with a link to a fake website designed to look exactly like a legitimate site. Entered information is saved and used by a hacker to log in to the true account of the user. Naturally, sending a link to a bogus copy of a site is not the only way attackers operate. They might also disguise themselves as members of a legitimate institution and try to scam the user over the telephone or text chat. Many ways of phishing exist, and cybercriminals are very creative in developing new forms of such fraudulent activity. Thankfully, 2FA adds a second factor that makes phishing attacks much less likely to succeed. Attackers will be either blocked off from accessing user’s information, or the user, given more time, will see through attackers’ suspicious behavior.
Keystroke Logging
Even if the user hasn’t been contacted by an attacker or sent a link to a fake website, they could still have had their device infected with a keystroke logging malware. Often unbeknownst to the user, such keylogger malware can be a serious threat if the user hasn’t enabled 2FA on their account. Keyloggers save every key pressed by the user during the authentication process and send the information to the hacker who can then use the password to log in to the user’s account. 2FA shields users from keylogging by introducing a second factor. Even if the hacker compromises the user’s password, the second factor will effectively stop them from accessing the user’s account.
What are the benefits of using 2FA?
Using 2FA comes with a set of benefits. First of all, 2FA significantly reduces the risk of losing valuable data and money by securing your accounts with an additional layer of authentication. As demonstrated in this article, passwords are easy to compromise, which makes it quite easy for attackers to pretend to be you. Introducing a second factor makes your account less liable to be accessed by an unauthorized party. If your second factor involves using a physical device, then even if the attacker gets full access to your computer, they still can’t log in to your account. They would need your phone for that. If keeping your users and information safe is of utmost importance to you, this should be enough of a reason to introduce 2FA into your workforce. But there is more. Deploying 2FA and documenting that fact sends a strong signal to your customers that you care about the security of their data, which makes them more likely to continue working with you in the foreseeable future. Furthermore, using 2FA greatly enhances your compliance with all security regulations and standards, including PCI DSS, ISO/IEC 27001, NYDFS and NAIC. Given such a strong set of benefits, there really is no reason not to introduce 2FA into your workforce, integrate your applications and secure your users and customers.
Is it possible to use 2FA when offline?
Most authentication methods require Internet access. However, users do not always have access to the Internet. They might be abroad, or on a plane. The TOTP Time-Based One-Time Password Algorithm (RFC 6238) designed by Symantec, VeriSign and others is the solution. Rublon fully supports TOTP in the form of a Mobile Passcode generated every 30 seconds by Rublon Authenticator. Even if the user is offline! The user logs in as usual by providing their login and password, and then selects Mobile Passcode as the method of authentication. Afterwards, they have to enter the passcode that Rublon Authenticator generated on their phone. An alternative but payable way of utilizing TOTP is buying a special token, which generates the passcode. SMS Passcode is another 2FA method that doesn’t require Internet access.
What is MFA/2FA?
Multi-Factor Authentication (MFA) is an authentication method that, in addition to the standard login and password first factor, adds an additional layer of security in the form of more factors of authentication. Two-Factor Authentication (2FA) is a subset of Multi-Factor Authentication that uses two factors.
What are the Methods of Authentication?
A Method of Authentication is any method that can be used to authenticate a user, that is validate their identity. Apart from the use of passwords, which demonstrably prove to be an insufficient way of authentication in the contemporary world, the following methods of authentication can be used as the second factor in a 2FA system:
Mobile Push
Not only is mobile push authentication user-friendly, but also highly secure, proving to be one of the best second factor choices. After entering your username and password, you get a push notification on your phone. The notification contains details regarding the login attempt, e.g. the time and location it took place as well as the IP address. You can either accept the login request if you are sure it is you who tries to log in, or otherwise deny access. However, ease and comfort of use might also be Mobile Push’s disadvantage as the method is susceptible to user’s inattention. That’s why it’s crucial to inform your users they should always carefully read information regarding the authentication attempt before accepting. Another drawback of Mobile Push is that notifications are sent through wifi network, so Internet access is required at all times.
TOTP
2FA methods associated with The Time-Based One Time Password (TOTP) involve a physical device like a security token or an app on your phone. Every set amount of time, a new passcode is generated. When authenticating, you are asked to enter the passcode. Apart from simplicity of use, TOTP’s biggest advantage is that you can use this method offline. Physical tokens cost money, which is a commonly mentioned drawback of the method. However, with the free Rublon Authenticator app installed on your phone, you can authenticate yourself with a Mobile Passcode without having to buy any physical device.
SMS Passcode
SMS Passcode is a code texted to your mobile device. You have to provide the code sent to you in order to successfully finish the authentication process. SMS Passcode is widely used by banks to authenticate clients logging in to their accounts. Apart from being relatively simple and widespread, SMS Passcode comes with some drawbacks. First of all, you are required to disclose your telephone number, which is not always desired e.g. due to security policies. Second of all, you do after all need your phone always with you, which thankfully is not a big concern nowadays. However, if you happen to lose your phone, you might lose access to your account. To troubleshoot this, a good 2FA solution should allow the user to choose more than one authentication method. An important advantage of SMS Passcode is that you do not need Internet access on your mobile device.
Email Link
Email Link is a simple way to verify the identities of users that requires no software installation or additional hardware. Users click on a link sent by Rublon to a user’s email address and get signed in on the device that started the login process. It is important to make users aware of the fact that the password to their account should not be the same as the password to their email account.
QR Code
QR Code 2FA usually involves a QR code that appears on the authentication prompt during the authentication process. A user verifies their identity by scanning the QR code using a phone with the Rublon Authenticator app.
WebAuthn/U2F Security Key
Security keys are advanced USB devices that you plug in to the USB port of the device on which you are undergoing the process of authentication. Depending on your device, the process of authentication might slightly vary, but it most often involves tapping the key. More advanced security keys come with a biometric reader. Such keys combine Possession and Inherence Factors, becoming one of the most secure methods of authentication. Security keys come with the disadvantage of their physicality. A lost token makes you unable to authenticate. Moreover, such tokens cost money, as opposed to free methods like Mobile Push.
Which method of 2FA should I choose?
Every type of 2FA comes with its unique set of pros and cons. We recommend Mobile Push, because this type of authentication is fast, easy to use and free. However, the choice belongs to you. A good authentication solution allows you to select one or more types of 2FA that best suit your needs, and change them at will according to adaptive authentication policies. Rublon does just that. Your administrator will be able to activate one or more authentication methods, which will then become available on Rublon Prompt every time a user authenticates with Rublon. A user who tries to log in to an integrated application enters their credentials, which is the first factor of authentication. After that, the user is presented with Rublon Prompt and picks one of the available active types of authentication, which is the second factor. Rublon combines the Knowledge Factor with Possession or Inherence Factor to protect your users against the risks of using just the password.
