Two-factor authentication means using any independent two of these authentication methods (e.g. password + value from physical token) to increase the assurance that the bearer has been authorized to access secure systems. The owner of secure data or the operator of such secure systems is implementing two-factor authentication for laptops first because of the inherent security risks in mobile computers, to make it more difficult for unauthorized persons to use a “found” laptop to access secure data or systems. With mobile phones or smart phones, the quality of the problem does not change: A lost or left phone shall not be activated to enable the finder for unauthorized access to secure data or system. Multi-factor authentication hence means two or more of the authentication factor required for being authenticated.

Two-factor authentication means that instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc), a second factor, something the user has or something the user is, must be supplied in order to authenticate.

Two-factor authentication is not a new concept. Two-factor authentication is used every time a bank customer visits the local ATM. One authentication factor is the physical ATM card the customer slides into the machine. The second factor is the PIN they enter. Without either of these, authentication cannot take place. This scenario illustrates the basic parts of most multi-factor authentication systems; the "something you have" + "something you know" concept.

An authentication factor is a piece of information and synonymic for the process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authentication. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: "something you know" (e.g., password or PIN), "something you have" (e.g., smartcard or token), or "something you are" (e.g., fingerprint or iris scan).

Using more than one factor is sometimes called "strong authentication", however, "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."

Details for authentication in USA are defined with the Homeland Security Presidential Directive 12 (HSPD-12).

Existing authentication methodologies involve the explained three types of basic “factors”. Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.

According to proponents, T-FA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief permanent access to their information. However, many T-FA approaches remain vulnerable to trojan controlled websites and man in the middle attacks.

One form of 'something you have' is the smart card and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.

A new quality of tokens has been developed to ease the authentication process without keying character sequences and with automatic pairing of authentication factors. Presumed the bearer of the authentication factors prepares himself in good separation from other similar entities, the achieved pairing status may be maintained for all the daytime and especially during worktime without repetition of the pairing process. Then the problem of lost laptop or left phone may be prevented by automatic alarm in case of unwanted excess of arms length. However the wireless communication of the authentication factors involved defines other threat to be considered according to Common Criteria.