What is two-factor authentication (or 2FA)? It's an effective, straightforward, and increasingly used online security method that provides your accounts with a crucial second layer of login protection, so that hackers can’t break in to steal your personal data.
In this article, we explain everything you need to know about 2FA—including how it works, why you should use it, how to set it up, the different types that are currently available, and which popular platforms/services offer it.
What is 2FA and how does it work?
You’re probably familiar with single-factor authentication (SFA) from logging in to your online accounts (such as email, shopping, and social media). This is the most basic and widely used form of authentication, as it only requires a username/email address and password.
As passwords can be stolen by hackers, and too often are, a 2FA setup requires you to provide one other piece of unique login information that verifies you’re the genuine account user.
This second factor is likely to be based on either something physically unique to you (like a fingerprint), or something you own (like a smartphone or a security key). With a second factor in place (such as a unique code sent to your phone via SMS), 2FA establishes an extra level of protection that prevents criminals from accessing your account, even if they know your primary password.
2FA differs slightly from multi-factor authentication (MFA), even though the terms are sometimes used interchangeably. With MFA, two or more pieces of additional login information are needed, rather than just two. However, in most cases, you’re likely to only encounter 2FA security setups.
Is 2FA any good?
As previously mentioned, passwords offer baseline protection, but they can be breached. This can be for several reasons—such as weak passwords that are easy to work out, or spyware that successfully logs keystrokes as a password is typed in.
To guard against these and other types of password violation, 2FA is well worth considering, even if you carefully create your passwords or use a good-quality password manager. This is because the second factor in 2FA works independently from the primary username/password factor, meaning it cannot be compromised simply because your password has been stolen.
Although 2FA isn’t completely immune from shortcomings and weaknesses (e.g., one-time PIN codes sent via SMS can be intercepted), it’s still one of the best ways to keep your online accounts safe.
What’s more, it’s likely that many of the major online services/platforms you have accounts with already offer 2FA as part of their security infrastructure, so you might as well use it. At the very least, you should use 2FA for any accounts that hold your most sensitive personal data—such as email accounts, where hackers could rifle through your inbox to steal all sorts of valuable details.
What types of 2FA are there?
There are a few prominent types of 2FA which are frequently provided by, or compatible with, many online services and their apps.
Text messaging (or SMS) is perhaps the most common type of 2FA offered by online services, and one you might already be familiar with. To set up this kind of 2FA, you need to provide your phone number. Then, when you type in your username and password to login, the service automatically sends a one-time PIN number or passcode to your phone via a text message. This code serves as the second authentication factor that, once keyed in, means you can access your account.
Overall, this is the least secure type of 2FA, because there’s always a possibility that text messages can be hijacked. However, it’s still much better than no 2FA at all.
Most services also provide a pool of recovery codes, which give you one-time codes to store somewhere (e.g., in a password manager) for use when logging in if you’ve lost your phone or haven’t received a verification text.
Authenticator apps like Google Authenticator and Microsoft Authenticator are another alternative to text messages. Once installed onto your smartphone/tablet, these apps can generate one-time passcodes for your online accounts, which cut out the inherent risks of the text messaging method. Authenticator apps are compatible with most of the big online services.
Biometric authentication is an innovative type of 2FA that creates a second factor by using your unique physical attributes—namely, your face or your fingerprint. By pairing your fingerprint (Touch ID) or face (facial recognition) with your account password, you can use this type of 2FA to log in to accounts and apps that support it.
There are also U2F tokens, which are commonly known as hardware tokens or security keys. These keys (such as the YubiKey by Yabico) are plain-looking physical objects as small as a memory stick, which slot into a USB port on your computer.
All you need to do is quickly register your key with a compatible online account, then plug it into your computer every time you want to gain access. There are no one-time codes involved, and the online service pairs your key with your username and password, meaning it’s a really simple and secure way of establishing a second factor.
Due to the key’s nondescript appearance, there’s no need to worry if you lose it—a criminal wouldn’t be able to tell it belonged to you or be able to link it back to any of your accounts.
Which services and apps offer 2FA?
Some services, like online banking apps, might integrate a 2FA (or even MFA) structure into their online login process, where you need to follow up your main password/username with an additional unique PIN and/or fingerprint as standard practice.
However, most popular services and their apps offer optional 2FA, which you can easily enable. Examples of these include Google, Apple, Microsoft, Facebook, Instagram, Amazon, Slack, PayPal, and Dropbox.
The amount of 2FA options available with each service will differ to some extent, though nearly all offer one-time codes via text message, plus recovery codes. Most services will also sync with security keys and authenticator apps. Biometric authentication is more likely to be an option when logging in to an app, rather than a website.
How do I set up 2FA?
Setting up 2FA on your accounts will vary from service to service, though you’ll follow similar basic steps each time. On most accounts, you navigate to settings, click on a login and/or security option, then select two-factor authentication and view the available options.
For example, if you want to set up 2FA for Instagram, you simply go to Settings, then Security, and thenTwo-Factor Authentication, before selecting whichever type of 2FA you want to enable, and following the simple instructions.
In an online world filled with ways for hackers to steal your personal data, 2FA is an effective way to keep your online accounts safe and sound—particularly as single-factor authentication usernames/passwords can all too easily be compromised.
There are many types of 2FA to choose from, including one-time codes sent via SMS, authenticator apps, biometric authentication, and security keys. The SMS method is the most widely used, yet the least secure, though still better than not having any 2FA at all. Overall, authenticator apps and security keys are much less likely to be breached by a hacker.
As major online services offer a good array of 2FA options (and setting it up isn’t tricky at all), it makes sense to enable 2FA across your accounts and give yourself that vital extra layer of protection.