How does two-factor authentication help in Identity?

Question

I cant find any help around on this topic because I am being told how to implement it rather than how it actually works.

All I know is two-factor authentication is authenticating users through an email and a phone number.

Here are my set of questions :

1. Does it authenticate users by verifying their email and phone number at the time of registration?
2. Does it authenticate users by verifying their email and phone number on every login?
3. Why is it that every user can set two-factor authentication enabled or disabled for their account? Isn't this an admin thing which should not be decided by the user?

Answer 1

I'll see if I can help clarify for you.

1. It works as an extra level of security. Traditionally you would have a username/email and password to get into a site. If the password is compromised then so is the account. Adding a phone number to your account will mean that only someone with access to that phone can get past the extra level of security and access your data. When the user logs in with another 'step' is added before they get through. A token (usually a number with a short expiry - i.e. seconds) is tied to the user logging in and sent to their phone. They fill in the form and submit. The device the user is logging in with (laptop/phone/desktop browser) can then be tied to their account (see point 2 below).

2. This can be the case but if you take Google as an example you can select to 'Trust' the device logging in for 30 days. This ties the device to a trusted list (perhaps stored in a database for instance) for a set amount of time before asking at the point of login again.

3. Common practice is that it is the user's choice as to whether they have this extra level of security. They may not have access to a phone...what happens then? They may like the convenience of just using a username/email and strong password....it doesn't mean to say you can't force it by design in your system though.