What is two-factor authentication (2FA)?


Two-factor authentication adds an extra step – and an extra level of security — when you log into a website, online bank account, credit card portal, or other site.

The significance of employing secure passwords is more important than ever. Hackers are hungry for passwords, because they can be sold or shared with others who may use them to log onto victims’ bank or credit card accounts.

Just read the news stories about high-profile data breaches and password leaks which can leave account credentials exposed.

There is one way to quickly boost the safety of your online accounts: two-factor authentication.

With two-factor authentication enabled — also known as 2FA — you get an extra layer of security that cyberthieves can’t easily access, because the criminal needs more than just your username and password credentials.

You may already be using two-factor authentication on some of your accounts, even though you may not be aware of it. Your ATM card is one example of 2FA, because you must present both your physical card and enter your PIN to access your bank account.

What is 2FA?

Two-factor authentication adds an extra step – and an extra level of security — when you log into a website, online bank account, credit card portal, or other site.

For an example of how 2FA works, just look at your own online history: There might be plenty of websites that you access just by entering your username and password. This is an example of one-factor authentication, with your password being that single factor you need to log onto a site.

As the name suggests, two-factor authentication requires one extra step — and a second factor — to log onto a site or access an online account. Most often, you first enter your username and password. The site typically then sends a text message to your mobile phone with a six-digit numerical code. This code is called an authenticator — sometimes called a passcode or verification code. You can only access the site by then entering this code that appears on your mobile device. If you don't have the code, you can't log on, even if you know the correct password.

It’s true that 2FA does require this extra step, which you might find to be a bit of a hassle. But the goal here is to protect your accounts. It's more difficult for hackers to access your online bank accounts, credit card portals or personal sites if they must also need an additional code to get into them.

Factor types for 2FA

When sites rely on 2FA security, what factors will they require from you to log on? That depends. Different sites will use different factors for user authentication.

Here are some examples:

Knowledge factor: Many sites require what are known as knowledge factors. You might be required to enter a personal identification number that is sent through a text message to your phone. Other sites might require that you answer certain security questions to log on.

Possession factor: Sometimes you might need an actual piece of hardware to log onto a site or access your bank account. Consider when you use an ATM: Not only must you enter your PIN, you must also first insert your ATM or credit card. Businesses might provide their employees with a USB token or key fob. When employees log into company accounts, the token or fob will display a code that the employees need to enter or validate. Alternatively, employees might need to insert a USB token into their computer or device before they can log on.

Software token factor: You can also download apps that provide 2FA. Once you do, any site that you log on to that supports 2FA will send a code to the app that you must enter before you can log on.

Inherence factor: Sometimes called biometric authentication, an inherence factor relies on something about you — such as your fingerprint or voice or speech patterns — to provide security. The most common type of inherence 2FA relies on your fingerprint. When logging onto a site, you’re required to press your fingertip against a sensor. Once your device recognizes your fingerprint, you can log on.

Location factor: Some sites rely on a location factor to verify your identity. If you log onto a site from an unusual location, the site might send you a text or email message asking you to verify your identity before letting you log on. You might need to answer a security question or input a code before you can access the site.

How secure is 2FA?

While nothing is 100 percent secure, your account can still be vulnerable via hacking through password-recovery options. Lost-password recovery usually resets your password via email, and it can completely bypass 2FA.

This can leave you vulnerable if an attacker has gained access to the email account you have associated with any accounts you have 2FA enabled for. Be sure to monitor your email account for messages requesting password changes that seem unfamiliar.

Why do I need 2FA?

Two-factor authentication might seem like a hassle. After all, you’ll need to take an extra step to log onto your favorite websites.

But without 2FA, you could be leaving yourself vulnerable to cybercriminals who want to steal your personal identification, access your bank accounts, or hack into your online credit card portals. Why? Without a complex, unique password for each of your online accounts, a skilled hacker may be able to crack your passwords. And once they do, they can easily gain access to the personal and financial information in any accounts with that username and password combination.

When you use 2FA, though, you add an additional layer of protection against hackers. They’ll struggle to access your bank account if they must also enter a six-digit code — a one-time password — that’s sent only to your phone, for example. They might not be able to access your online credit card portal if they also have to provide a scan of your fingerprint.

The lesson here is simple: Don’t let this extra step deter you from protecting your accounts with 2FA.

Types of 2FA

There are several types of 2FA available today, all of them relying on the different forms of factors we’ve listed above.

Hardware tokens: This type of 2FA requires users to possess a type of physical token, such as a USB token, that they must insert in their device before logging on. Some hardware tokens instead display a digital code that users must enter.

SMS and voice 2FA: You’ll receive either a text or voice message giving you a code that you must then enter to access a site or account.

Software tokens for 2FA: These tokens are apps that you download. Any site that features 2FA, will then send a code to the app that you enter before logging on.

Push notifications for 2FA: You’ll download a push notification app to your phone. When you enter your log-in credentials to access a website, a push notification is sent to your smartphone. A message will then appear on your phone requesting that you approve your log-in attempt with a tap. Once you tap, the push notification app will contact the site, which will then allow you to log on.

Biometrics: To log onto a site, you’ll first have to verify it’s you through something physical about yourself. Most commonly, this means using a fingerprint scanner. Once you do this, you can log on.

Other forms of 2FA: Additional password security measures

Want to take extra steps to help protect your online accounts even when using 2FA? Try these strategies:

  • Do not use the same passwords across multiple accounts.
  • Make sure your user passwords are, at minimum, eight characters long and be sure to use a unique combination of uppercase and lowercase letters, symbols, and numbers.
  • Don’t use words, birthdates, addresses or phone numbers in your passwords. These are things that often can easily be found out about you on the internet.

While not all websites offer 2FA, you can check twofactorauth.org to see what services employ it.

Dan Rafter
  • Dan Rafter
  • Freelance writer
Dan Rafter is a freelance writer who covers tech, finance, and real estate. His work has appeared in the Washington Post, Chicago Tribune, and Fox Business.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.