Two-factor authentication: A guide

A password alone will not protect sensitive information from hackers--2FA is also necessary. Here's what you need to know about two-factor authentication.

It's nearly impossible to truly secure an online or mobile account with just a password. Data breaches, malware, device theft, and myriad other methods can be used to compromise digital passwords, no matter how secure they are.


Anyone with sensitive information protected by a password needs to have a second method of securing their account, hence two-factor authentication. There are various ways to protect accounts via two-factor authentication: biometrics, one-time passwords, verification codes, QR codes, hardware tokens, and other methods all add another layer of security.


Regardless of the method: Two-factor authentication is necessary no matter how inconvenient users think it is.




  • What is two-factor authentication? This authentication method supplements passwords to provide an online account with a second layer of security; it does not replace passwords. Two-factor authentication is available for Apple ID, Google, Facebook, Twitter accounts, and other services.
  • How does two-factor authentication work? There are a variety of two-factor authentication methods available, all of which have the same end goal: providing a way of proving a login is legitimate that's completely separate from the password.
  • Why does two-factor authentication matter? Most everything we do on a computer or mobile device is exposed to the internet, and that means those online accounts can be compromised. Adding two-factor authentication to an account makes it harder for a stolen password to be used against you.
  • How safe is two-factor authentication? Nothing is completely secure, and that includes two-factor authentication. Two-factor systems have been hacked in the past, but the biggest risk isn't technological--it's social engineering, which can bypass even the most secure of systems.
  • How do I start using two-factor authentication? Businesses can standardize two-factor authentication by subscribing to a service that provides it. Home users can enable two-factor authentication on their accounts by checking to see if a particular website offers the service.

What is two-factor authentication?

Two-factor authentication is a supplement to a digital password that, when used properly, makes it harder for a cybercriminal to access a compromised account. Two-factor authentication is also referred to as 2FA, two-step verification, login verification, and two-step authentication.


Two-factor authentication is not to be confused with multi-factor authentication (MFA), of which 2FA is a subset. MFA refers to any kind of system that relies on more than one method of identification to verify you're the appropriate person to be using the account. If, for example, you use a password, one-time code, and then a fingerprint to log into a system, you're using MFA but not 2FA because you're using three distinct items.


How does two-factor authentication work?

Two-factor authentication requires, along with a password, a second form of identity verification. After successfully logging in to an account with a password, the user is prompted to either confirm their identity using a one-button push with a verification app or input a random security code from a text, email, push notification, or physical key.


The second factor is, ideally, harder to spoof than a password; it requires something the legitimate user has physical access to, like a smartphone with a particular authenticator app installed, a linked phone number for a push notification or SMS authentication code, or a hardware security key, which leaves a hacker stuck even if they have the correct password to the account. Two-factor authentication is available for Apple ID, Google, Facebook, and Twitter accounts, bank websites, and other services--it's often as simple as enabling the option.


If your business is looking for a two-factor authentication provider, there are a lot of options. Once you select a 2FA provider, users can expect to use biometrics (like Touch ID and Face ID), authenticator apps, SMS authentication, email authentication, or a physical security key to authenticate an account with an authentication code.


Each method has its pros and cons, and two-factor authentication shouldn't be relied on to be the end-all, be-all of account security. Each of those methods can be cracked by someone with enough knowledge or drive.


SMS and email authentication, easily the most ubiquitous, are also the most easily cracked. Text messages aren't secure and can be intercepted, and email accounts can be hacked. Biometrics can be fooled, and the methods of authenticating them can be hacked as well. Apps can be a problem when migrating to a new mobile device, and physical security keys can be lost.


In most cases where an account is protected by a second security factor, users will be given backup codes that can be used to disable two-factor authentication when a key is lost or an app is uninstalled. If you sign up for 2FA and are given backup codes, it's best to print them off and stick them in a secure location--you never know when you may need to recover an account that becomes locked out.


Regardless, two-factor authentication is very low effort for a lot of added security. It may not be 100% foolproof, but nothing is.


Why does two-factor authentication matter?


Two-factor authentication matters to everyone--in particular, security professionals and anyone who uses digital passwords.


If it's in an account on the internet, it's safe to assume that it's fair game for hackers to try gaining access to it. A password is usually only a stumbling block to getting ahold of your business or personal information.


It seems like we hardly go a week without news of a massive data breach affecting millions of people. The information that's stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to accounts. If those users have two-factor authentication active on their accounts, they won't need to worry nearly as much.


To the individual user, two-factor authentication matters because it protects personal information like email, financial records, social media, and other sensitive information. Businesses need two-factor authentication to protect company secrets from being spilled out into the ether too, and they should be sure users, both internal and external, are using it.


How secure is two-factor authentication?

Anyone who has spent time online knows it's a bad idea to put all their security eggs in a single basket, and two-factor authentication is no exception.


As CNET reported several years ago, RSA's physical security tokens were hacked, so even systems you think are secure (like random number generators) can be exploited.


The biggest security hole in two-factor authentication, and the one most often exploited, is social engineering. An enterprising hacker doesn't need to try to crack two-factor authentication security when they can simply call a support line, pose as you, and get your password reset.


Software developer Grant Blakeman had that exact thing happen to him in 2014. An attacker who wanted access to his Instagram account managed to get his mobile phone provider to forward his number to a different device. From there the attacker received a Google account two-factor authentication code, "which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account."


Blakeman had done everything right: He used a password manager to generate long, unique passwords for each account, used two-factor authentication on Google. But that didn't matter when a smart enough attacker wanted access.


So is two-factor authentication safe? In and of itself, yes. It's rare that two-factor authentication methods are cracked. The most exploitable weakness, yet again, is humans.


How do I start using two-factor authentication?


Using two-factor authentication on consumer services like Apple ID, Google, Facebook, Twitter, bank websites, and others is often as simple as turning the service on.


Turn It On: The Ultimate Guide to Two-Factor Authentication (2FA) is a free service, provided by TeleSign, contains a searchable list of sites that use two-factor authentication and instructions for how to activate it.


Businesses can choose from a variety of two-factor authentication providers, including OneLogin, Yubico, or Okta, which offer 2FA as a service that can be plugged into existing computer systems. There are a lot of providers to choose from, and finding the right one for your business will likely take some research.


Some enterprise 2FA services, such as Okta, act as a single sign-on (SSO) that will automatically log a verified user into other accounts, so only one password has to be remembered, making business accounts that much more secure.


Once a device is enrolled in a 2FA SSO service and a user logs in, their computer or smartphone becomes a trusted device, adding another layer of security: If someone tries to log in from somewhere else, they'll have a hard time doing it without being able to provide an authentication code in addition to a username and password.


The bottom line in two-factor authentication is that it is an essential line of defense for individuals and businesses.