What is Two-Factor Authentication?

Two-factor authentication is an extra layer of security for your accounts, so scammers can't access your accounts with just your username and password.

Jeremy Fuchs
Updated 27 August 2021
What is Two-Factor Authentication?
Share to

United States Scam & Fraud Statistics 2020

$3.3 billion total fraud losses
4.7 million fraud reports

1.4 million reports of identity theft

Source: 2019-20 Consumer Sentinel Report

Sections on this page
  1. How Much Safer is Having 2FA?
  2. How to Set Up Two-Factor Authentication
  3. What Are Authenticator Apps?
  4. Why Is It a Good Idea to Use Two-Factor Authentication?

In general, two-factor authentication (2FA) refers to requiring two steps to log in to your online accounts. It starts with the typical credentials of your username and password.

Once that’s successfully entered, you'll need to provide your second password or second "factor." This can come in different forms, such as a:

  • PIN
  • Answer to a secret question
  • Token, such as a key fob, that produces a unique set of numbers
  • Unique code from an authentication app 
  • Unique code sent via text message or email
  • Fingerprint or biometric scan

The idea is that even if someone knows your username and password, they won’t be able to get through the second layer of security, keeping your accounts and data significantly safer.

Use Strong and Unique Passwords

81% of data breaches were the result of stolen or weak passwords and 1 million passwords are stolen every week. For these reasons, it's crucial to have strong and unique passwords and to change them regularly. Use a secure password manager to help you remember all of your different logins.

It also applies to physical settings. Ever wonder why you have to enter your zip code before using a credit card while pumping gas? That’s another form of 2FA.

2FA should be used as much as possible, especially if you’re someone who uses the same password on multiple sites.

How Much Safer is Having 2FA?

According to Microsoft, having 2FA can block over 99% of account compromises, however, it’s not completely foolproof. 2FA secures online accounts where a login is required—it’s not designed to stop attacks that aren’t related to logins.

In general, there is a hierarchy of the most secure forms of 2FA. From least secure to most secure, they are:

  • Email code: If someone has access to your account, they’ll have access to your codes.
  • SMS or phone call: If someone has your SIM, they’ll have your codes.
  • Authenticator apps: This is an app on your phone that generates a unique code. These are generally good, however, they can be hacked.
  • Security keys: These are hardware keys. Users plug them into computers just like a USB. However, they’re buggy and often require backup options.
  • Biometrics (e.g., eye scans or fingerprints): These are the most secure. However, it's not always an option.

SIM Swapping: Getting Around 2FA

Scammers have come up with a way to get around your 2FA by a method called SIM swapping. This involves someone calling a cell phone provider pretending to be you and porting your cell phone number to their SIM card. Armed with access to your cell phone number, they will be sent the 2FA codes that are texted to you.

How to Set Up Two-Factor Authentication

Many sites that hold your personal information—from Google to Facebook, banks to health insurance—will give you the option of setting up 2FA. (It’s also known as multi-factor authentication or two-step verification.)

Though setting up 2FA will vary based on the site, the general steps are pretty similar. The only difference is how you access the information. Regardless of the site, you’ll need a few common things:

  • Choose your form of 2-factor authentication. This can be as a phone number, email address, or authenticator app. You will need that device when setting up your multi-factor authentication.
  • Get a printer. Some apps, like Google, offer codes for offline access (in case you lose your phone). Google will give you a list of 10. When you use one, it will cease to work. Printing it out is an analog way to access them.

Setting up multi-factor authentication is easy, doesn’t require much information, and only takes a few minutes. Follow these general steps:

  • Log in to your account.
  • Navigate to the Security section or settings page.
  • Find “Set up two-factor authentication” or something similar. Various sites call it different things, for example:
    • Twitter calls it two-factor authentication.
    • Google calls it two-step verification. 
  • Choose your form of authentication.
    • The easiest is a text message since you don’t need anything to set it up. If you choose an authenticator app, you will need to download that in advance. Most popular websites will generate a QR code that the authenticator scans. That gives you access, and the app will begin generating codes.

What Are Authenticator Apps?

An authenticator app generates unique codes to facilitate your login. It works by setting up a secure connection between the app and the account. Every 60 seconds, the app will refresh with a new code. (Instead of receiving your 2FA code via text, the app will give you the code.)

This is generally a safer option than SMS. However, it’s not foolproof. There was once a piece of malware circulating on Android that could specifically steal such codes.

There are multiple apps you can use, all of which are fairly similar:

  • Authy: Authy is free, works on multiple platforms, and also has a cloud backup option, which is convenient should you lose your phone.
  • Duo: Duo is common in business or school settings.
  • Microsoft Authenticator: This is a good choice if you do a lot of work in the Microsoft ecosystem.
  • Google Authenticator: This is perfect if you use a lot of Google tools.

Whichever app you decide to use, the set-up process is just about the same.

  • To set up a secure connection, you’ll be asked to open the app and scan a QR code generated by the site.
  • Once you scan the QR code, you’re set. A numerical code will generate every 60 seconds. You’ll need that code the next time you log in to that site.

Why Is It a Good Idea to Use Two-Factor Authentication?

The internet is inherently insecure. As we move to store more and more of our most precious data on the web, it’s important to know that hacking is a major concern.

Though not a perfect solution, two-factor authentication is a great, free and easy way to better secure your app. By utilizing 2FA, you are drastically reducing the risk of someone hacking into your account.