Get comprehensive data and security protection with Avast One
Remember when a single password was all you needed to access your accounts? That'll soon be history, as two-factor authentication is taking over in a bid to beat hackers and tighten security around online accounts. Learn how 2FA works and why you should use it. Then, get a data-monitoring tool to help keep your personal data even more secure.
Two-factor authentication (also known as 2FA or dual authentication) is a type of multi-factor authentication (MFA) that increases account security by using two methods to verify your identity. Online, 2FA usually refers to a second layer of security on top of a password.
This Article Contains:
The two-step verification of 2FA sometimes feels like a hassle, but it’s crucial for staying safe online. 2FA involves authenticating yourself in two different ways, which provides significant extra security in a world where personal data is often up for grabs.
Sometimes, it can be hard to spot examples of 2FA. Just because an account or place requires two steps to access doesn’t mean it’s actually using two-factor authentication. Using a bank card at an ATM along with a PIN code to withdraw money is a common example of 2FA. But security questions and CAPTCHAs are not.
The difference between 2FA and MFA is that MFA uses two or more factors to verify your identity. 2FA uses just two factors. The multi-factor authentication definition applies offline too — for example when a security door requires an entry card and an eye scan.
Businesses, banks, and high-security offices may use multi-factor authentication for employees. But 2FA is secure enough for most people and their online accounts.
We need two-factor authentication because it’s a more effective way to control access than keeping your personal data protected with only a password. If someone hacks an account protected by 2FA, they’ll still need to know the second access factor, like an SMS verification code or your fingerprint, to access your account.
Imagine if someone could hack your Facebook account by just finding or guessing your password. Without 2FA, a password is your only line of defense against a hacker or cybercriminal who wants to sell your personal data on dark web marketplaces.
These days, simple passwords are no match for the top password cracking techniques used by hackers. When data breaches occur, thousands — even millions — of passwords may be leaked. Then companies like Facebook and Google respond by implementing 2FA to keep user information safe.
So, why use two-factor authentication? Because even though it may take a bit more time than simply using a single password, having your personal information stolen or becoming a victim of identity theft is much, much worse.
Two-factor identification works by using two unrelated authentication methods to secure an account. The second authentication method usually needs to be verified with something in your personal possession — such as your phone — in addition to your normal username and password.
A login or access method consisting of a password and a security question is not very secure, because if someone knows one password, they likely know — or can figure out — the security question. It’s much harder to have access to a totally different factor, such as your actual phone, which is why two-factor authentication is so much more secure.
There are three main factors that explain how two-factor authentication works.
The three factors that can be used for two-factor authentication are something you know (like a password), something you have (like a bank card), and something you are (like face ID). 2FA requires two of these three factors. MFA may use all three — or even GPS tracking to confirm your physical location.
Here are the three main 2FA authentication factors:
This is something you know. It can’t be physically lost or found, but it can be copied — like a password or PIN code.
This is something you have that can’t be easily copied, but can be stolen — like a bank card or physical key.
Inherence (biometric) factor
This is something you are, which can’t be easily faked — like a fingerprint or face ID.
To qualify as two-factor authentication, the two access methods used must be two different factor types. Using a username and password isn’t 2FA because both factors are knowledge factors. Even an extra security question still doesn’t qualify as 2FA, because a security question is also a knowledge factor.
Two-factor authentication verifies your identity by using two of three factors: something you know (like a passcode), something you have (like a key), and something you are (like a fingerprint).
Now, think of your garage door code (knowledge factor) and your house key (possession factor). If you want to enter your locked house through the garage, you need both. This is an example of two-factor authentication, because it relies on something you know (code) and something you have (key). Without one of them, you’re not getting through that door easily.
Here are some other common examples of two-factor authentication:
Withdrawing money from an ATM
You know your PIN code
You have your bank card
Accessing online accounts with one-time SMS verification (OTP) codes
You know your username and password
You have your phone
You have your passport
You are you, verified by facial recognition, fingerprints, or retina scans
Those examples show why using two-factor authentication is necessary to increase your personal security. With 2FA, a hacker can set up a keylogger to copy your password, but they can’t hack you without, say, having your phone where the one-time verification code is sent.
Two-factor authentication requirements are the same regardless of context, which is what makes them so effective. The basic 2FA properties of knowing, having, and being don’t change, and it’s difficult to have access to more than one at a time — unless of course you are who you say you are.
Many apps and services offer 2FA, but it might not be enabled by default. Check your account’s security settings to see if 2FA is available. Google has its own Google Authenticator app, which generates 2FA codes automatically. Or, you can enable 2FA yourself via your Google Account or Gmail account.
Here’s how to set up 2FA on your Google Account:
Sign in to your Google Account.
Click your profile picture and select Manage your Google Account.
Click Security in the left panel, then click 2-Step Verification.
Click Get Started.
Confirm your password.
Choose how you want to verify that your phone is really yours: a prompt (default), a security key, a text message, or a voice call. Then click Try It Now.
Google will ask you to confirm using the prompt on your phone.
Verify using your authentication method of choice.
Now, add a backup phone number or email in case you lose your phone or can’t verify the prompt. Then, choose an option (text message or phone call) and click Send.
Google will send a verification code to your phone.
Enter the Google Verification code into your Google Account 2FA settings, then click Next.
Now click Turn on.
You’re done! Now two-factor authentication is set up in your Google Account. Check the confirmation email from Google to ensure the process worked.
You can also set up 2FA on your Apple device, as well as Facebook, Reddit, and almost any other app, platform, or device you use. Two-step authentication, with a strong password and another verification method, is far more secure than just a password alone.
Yes, two-factor authentication is very secure. No login method is completely foolproof, but 2FA makes you much safer against data leaks and hacking attempts. If hackers learn that your 2FA is enabled, they’ll likely move on elsewhere, leaving your account secure.
Of course, hackers are always learning, and they might eventually crack 2FA. Message mirroring apps that can see your texts already exist. And now voice bots that steal 2FA codes have emerged. And when everything else fails, hackers continue to use social engineering to try to trick people into giving up their 2FA codes.
Single passwords aren’t as secure as they used to be. Hackers can find tons of ways to crack your passwords, using tactics like password spraying, keylogging, and brute force attacks. You should always create strong, complex passwords or passphrases, but it still may not be enough to keep your accounts secure forever.
If you don’t want to enable 2FA for every account you use, you can use a random password generator to make it harder for hackers. And storing all your strong passwords in one of the best password managers makes it much easier to keep track of them all.
But you should absolutely use two-factor authentication for all the accounts you use most often, as well as the ones you need to keep the most secure.
2FA is an important security measure, but to protect all your accounts you need a top-notch data-monitoring tool. Avast Breachguard constantly scans the web for leaked data, notifying you immediately in the event that one of your accounts is ever compromised.
Don’t take the security of your personal accounts and data lightly — keep them safe with Avast Breachguard.