What is 2FA (Two-Factor Authentication)?
2FA (Two-Factor Authentication) is a security mechanism that requires a user to complete two independent forms of authentication before being granted access to a system. It substantially increases security compared with using a password alone. See also MFA.
In OT environments, 2FA prevents an attacker from gaining access to systems such as SCADA, HMI or Remote Access using stolen passwords alone.
🧠 The three authentication factors
A secure 2FA solution combines two of these three factors:
| Category | Example |
|---|---|
| Something you know | Password, PIN |
| Something you have | Authenticator app, token, badge |
| Something you are | Fingerprint, facial recognition |
Most common: password + app (e.g. Microsoft Authenticator or Google Authenticator).
🔐 Why is 2FA important?
| Risk without 2FA | Consequence |
|---|---|
| Stolen or leaked password | Direct access to critical systems |
| Phishing of credentials | Bypassing of Single Sign-On or VPN |
| No logging of second factor | Undetected session hijacking or brute force |
2FA dramatically reduces these risks, particularly when combined with Access Control, Zero Trust and Security Awareness.
🏭 Application in OT environments
| Location | Use of 2FA |
|---|---|
| Remote maintenance | 2FA on VPN connections or Jump Server |
| Engineering Station | Sign-in with smartcard or app-based 2FA |
| Historian or SCADA | Web interface protected by an additional authentication factor |
| Cloud applications | 2FA required when signing in to dashboards or portals |
✅ Best practices
- Use app-based authentication (TOTP or push) over SMS (more vulnerable)
- Enforce 2FA on all accounts with elevated privileges (admin, remote access)
- Integrate 2FA with Active Directory or an IAM solution
- Combine with RBAC and Least Privilege
- Monitor sign-in attempts and log 2FA verification failures in SIEM
📌 In summary
2FA is a foundational layer of modern OT/IT security. It protects accounts even when passwords have been leaked or phished, and is essential for remote access to industrial networks.