academy
Security
Security
See all Security articles
Privacy
Privacy
See all Privacy articles
Performance
Performance
See all Performance articles
Select language
Select language
Avast Academy Security Passwords How Does Two-Factor Authentication (2FA) Work?

How Does Two-Factor Authentication (2FA) Work?

Remember when a single password was all you needed to access your accounts? That'll soon be history, as two-factor authentication is taking over in a bid to beat hackers and tighten security around online accounts. Learn how 2FA works and why you should use it. Then, get a data-monitoring tool to help keep your personal data even more secure.

Academy-How-does-2FA-work-Hero

What is 2FA?

Two-factor authentication (also known as 2FA or dual authentication) is a type of multi-factor authentication (MFA) that increases account security by using two methods to verify your identity. Online, 2FA usually refers to a second layer of security on top of a password.

Hamburguer menu icon

This article contains:

    The two-step verification of 2FA sometimes feels like a hassle, but it’s crucial for staying safe online. 2FA involves authenticating yourself in two different ways, which provides significant extra security in a world where personal data is often up for grabs.

    Sometimes, it can be hard to spot examples of 2FA. Just because an account or place requires two steps to access doesn’t mean it’s actually using two-factor authentication. Using a bank card at an ATM along with a PIN code to withdraw money is a common example of 2FA. But security questions and CAPTCHAs are not.

    2FA vs. MFA (multi-factor authentication): what’s the difference?

    The difference between 2FA and MFA is that MFA uses two or more factors to verify your identity. 2FA uses just two factors. The multi-factor authentication definition applies offline too — for example when a security door requires an entry card and an eye scan.

    Businesses, banks, and high-security offices may use multi-factor authentication for employees. But 2FA is secure enough for most people and their online accounts.

    Why do we need two-factor authentication (2FA)?

    We need two-factor authentication because it’s a more effective way to control access than keeping your personal data protected with only a password. If someone hacks an account protected by 2FA, they’ll still need to know the second access factor, like an SMS verification code or your fingerprint, to access your account.

    Imagine if someone could hack your Facebook account by just finding or guessing your password. Without 2FA, a password is your only line of defense against a hacker or cybercriminal who wants to sell your personal data on dark web marketplaces.

    These days, simple passwords are no match for the top password cracking techniques used by hackers. When data breaches occur, thousands — even millions — of passwords may be leaked. Then companies like Facebook and Google respond by implementing 2FA to keep user information safe.

    So, why use two-factor authentication? Because even though it may take a bit more time than simply using a single password, having your personal information stolen or becoming a victim of identity theft is much, much worse.

    How does 2FA work?

    Two-factor identification works by using two unrelated authentication methods to secure an account. The second authentication method usually needs to be verified with something in your personal possession — such as your phone — in addition to your normal username and password.

    A login or access method consisting of a password and a security question is not very secure, because if someone knows one password, they likely know — or can figure out — the security question. It’s much harder to have access to a totally different factor, such as your actual phone, which is why two-factor authentication is so much more secure.

    There are three main factors that explain how two-factor authentication works.

    2FA: the three factors

    The three factors that can be used for two-factor authentication are something you know (like a password), something you have (like a bank card), and something you are (like face ID). 2FA requires two of these three factors. MFA may use all three — or even GPS tracking to confirm your physical location.

    Here are the three main 2FA authentication factors:

    • Knowledge factor

      This is something you know. It can’t be physically lost or found, but it can be copied — like a password or PIN code.

    • Possession factor

      This is something you have that can’t be easily copied, but can be stolen — like a bank card or physical key.

    • Inherence (biometric) factor
      This is something you are, which can’t be easily faked — like a fingerprint or face ID.

    To qualify as two-factor authentication, the two access methods used must be two different factor types. Using a username and password isn’t 2FA because both factors are knowledge factors. Even an extra security question still doesn’t qualify as 2FA, because a security question is also a knowledge factor.

    Two-factor authentication relies on two of three different identifying factors: knowledge, possession, or biometric.Two-factor authentication verifies your identity by using two of three factors: something you know (like a passcode), something you have (like a key), and something you are (like a fingerprint).

    Now, think of your garage door code (knowledge factor) and your house key (possession factor). If you want to enter your locked house through the garage, you need both. This is an example of two-factor authentication, because it relies on something you know (code) and something you have (key). Without one of them, you’re not getting through that door easily.

    Here are some other common examples of two-factor authentication:

    Withdrawing money from an ATM

    • You know your PIN code

    • You have your bank card

    Accessing online accounts with one-time SMS verification (OTP) codes

    • You know your username and password

    • You have your phone

    Traveling internationally

    • You have your passport

    • You are you, verified by facial recognition, fingerprints, or retina scans

    Those examples show why using two-factor authentication is necessary to increase your personal security. With 2FA, a hacker can set up a keylogger to copy your password, but they can’t hack you without, say, having your phone where the one-time verification code is sent.

    Two-factor authentication requirements are the same regardless of context, which is what makes them so effective. The basic 2FA properties of knowing, having, and being don’t change, and it’s difficult to have access to more than one at a time — unless of course you are who you say you are.

    How to set up 2FA

    Many apps and services offer 2FA, but it might not be enabled by default. Check your account’s security settings to see if 2FA is available. Google has its own Google Authenticator app, which generates 2FA codes automatically. Or, you can enable 2FA yourself via your Google Account or Gmail account.

    Here’s how to set up 2FA on your Google Account:

    1. Sign in to your Google Account.

      Signing in to a Google Account with a password.
    2. Click your profile picture and select Manage your Google Account.

      Highlighting "Manage your Google Account" in the Google profile page
    3. Click Security in the left panel, then click 2-Step Verification.

      Highlighting 2-Step Verification in Google account settings
    4. Click Get Started.

      Clicking "Get started" on the 2-Step Verification page
    5. Confirm your password.

    6. Choose how you want to verify that your phone is really yours: a prompt (default), a security key, a text message, or a voice call. Then click Try It Now.

      Highlighting other prompt options and the "Try it now" button on Google's 2-Step Verification page
    7. Google will ask you to confirm using the prompt on your phone.

      The alert informing you Google has sent a prompt to your phone
    8. Verify using your authentication method of choice.

      A Google prompt on a phone asking the user to authenticate
    9. Now, add a backup phone number or email in case you lose your phone or can’t verify the prompt. Then, choose an option (text message or phone call) and click Send.

      Google's back up option for 2-step verification page with "Send" highlighted
    10. Google will send a verification code to your phone.

      A Google verification code as sent to a phone
    11. Enter the Google Verification code into your Google Account 2FA settings, then click Next.

      Entering a Google verification code into Google's 2-Step Verification screen
    12. Now click Turn on.

      Highlighting the "Turn on" button in Google's 2-Step Verification confirmation screen
    13. You’re done! Now two-factor authentication is set up in your Google Account. Check the confirmation email from Google to ensure the process worked.

      A confirmation email from Google that 2-Step Verification has been turned on

    You can also set up 2FA on your Apple device, as well as Facebook, Reddit, and almost any other app, platform, or device you use. Two-step authentication, with a strong password and another verification method, is far more secure than just a password alone.

    Is 2FA actually secure?

    Yes, two-factor authentication is very secure. No login method is completely foolproof, but 2FA makes you much safer against data leaks and hacking attempts. If hackers learn that your 2FA is enabled, they’ll likely move on elsewhere, leaving your account secure.

    Of course, hackers are always learning, and they might eventually crack 2FA. Message mirroring apps that can see your texts already exist. And now voice bots that steal 2FA codes have emerged. And when everything else fails, hackers continue to use social engineering to try to trick people into giving up their 2FA codes.

    Are my passwords not secure enough anymore?

    Single passwords aren’t as secure as they used to be. Hackers can find tons of ways to crack your passwords, using tactics like password spraying, keylogging, and brute force attacks. You should always create strong, complex passwords or passphrases, but it still may not be enough to keep your accounts secure forever.

    If you don’t want to enable 2FA for every account you use, you can use a random password generator to make it harder for hackers. And storing all your strong passwords in one of the best password managers makes it much easier to keep track of them all.

    But you should absolutely use two-factor authentication for all the accounts you use most often, as well as the ones you need to keep the most secure.

    Take data protection to the next level

    2FA is an important security measure, but to protect all your accounts you need a top-notch data-monitoring tool. Avast Breachguard constantly scans the web for leaked data, notifying you immediately in the event that one of your accounts is ever compromised.

    Don’t take the security of your personal accounts and data lightly — keep them safe with Avast Breachguard.

    Get comprehensive data and security protection with Avast One

    FREE INSTALL

    Get comprehensive data and security protection with Avast One

    FREE INSTALL