Two-Factor Authentication

Authentication factors are classified into three types: "knowledge factors (something you know)," "possession factors (something you have)," and "biometric factors (something you are)." Knowledge factors include passwords and PINs, possession factors include smartphones and hardware tokens, and biometric factors include fingerprints and facial recognition. Two-factor authentication combines two different types from these categories, so that even if one factor is compromised, unauthorized access is still prevented.

The most common combination is "password (knowledge) + SMS code (possession)," but SMS is vulnerable to SIM swap attacks, so safer alternatives such as "password + authenticator app (Google Authenticator, Microsoft Authenticator)" or "password + biometric authentication" are recommended. Passkeys compliant with the FIDO2/WebAuthn standard are gaining adoption as a next-generation authentication method that simultaneously satisfies possession and biometric factors without requiring a password.

In cashless payment services, two-factor authentication is typically required in two scenarios: at login and for high-value transactions. QR code payment apps like PayPay and Rakuten Pay require SMS authentication at initial login and re-authentication when switching devices. For online credit card transactions, 3D Secure (Visa Secure, Mastercard Identity Check) serves the role of two-factor authentication.

A practical caveat is that even with two-factor authentication enabled, entering your authentication code on a phishing site will allow it to be bypassed. In a technique called real-time phishing, attackers position themselves between the legitimate site and the user, instantly forwarding the entered authentication code to the real site. Effective countermeasures include making it a habit to always verify the URL, and where possible, using phishing-resistant passkeys or FIDO2 security keys.