As the always-online world has continued to become an ever more dangerous place, the need for user authentication methods other than the old, not-so-reliable username/password combo has become evident.
Due to this problem, many websites, social networks, computer, and mobile device makers have begun requiring users to use two-factor authentication to log into their services, networks and devices.
In this article, I’ll explain what two-factor authentication is, how it works, how it increases the level of security for logins, what the drawbacks are, and why you should use it if it’s available. I’ll also discuss some of the companies and popular online services that use 2FA to protect their customers’ logins and associated personal information.
What Is Two-Factor Authentication?
Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), is a method of authorizing a login using two pieces of authentication. The two pieces are usually defined as something the user has, and something the user knows.
Perhaps the best way to explain two-factor authentication is to use a situation most of my readers will be familiar with: withdrawing money from an Automatic Teller Machine (ATM).
Two things are required for your bank to approve an ATM withdrawal: your valid credit or debit card (what you have), and your 4-digit Personal Identification Number (PIN) (what you know).
Two-Factor Authentication can be made up of various factors, and it varies widely among organizations. Each method has its own advantages and disadvantages.
Mobile Device Two-Factor Authentication
In order to use 2FA with your mobile device when you attempt to log in, the website or service in question will send a 4-digit or greater code to your smartphone or tablet via a text message. In some cases, you might be required to log into a passcode-generation app on your device to complete the login process.
This method uses two factors: your access to your personal device, and the one-time temporary code that the services gives you via a text message, notification or the passcode-generating app installed on the device.
This method carries with it a large number of both advantages and disadvantages.
Advantages:
- No need to carry a token generator, as the process uses your mobile device.
- The passcodes are generated on the fly, making them more secure than static passwords.
- A maximum number of passcode entries can be set, limiting the risk of passcode guessing.
- The process is user-friendly.
Disadvantages:
- The mobile device could be stolen, lost or damaged.
- If you’re out of range of your carrier’s cellular network, you might not receive the passcode message.
- It requires sharing your mobile phone number. This reduces your personal privacy.
- SIM cloning could give hackers access to your mobile connection, allowing them to spoof your device.
Token Generator 2FA
Other companies supply a key fob-like or credit card-like token generator the user can keep in their pocket, briefcase or purse.
The device flashes a new token number every 60 seconds, providing a one-time passcode as needed. This eliminates the need for a mobile device to receive a passcode. However, it does introduce its own unique issues.
While 2FA certainly adds a much-needed layer of security to the login process, 2FA is not immune from hackers. In 2011, someone hacked the SecurID system of security company RSA.
Advantages:
- It doesn’t rely on the use of a mobile or other internet-connected device.
- It’s portable and the user can keep it in their pocket, purse or briefcase.
- It’s easy to use.
- The token refreshes after a set amount of time – no permanent passcode to steal.
Disadvantages:
- It’s easily lost or stolen from your pocket, purse or briefcase.
- It could be vulnerable to man-in-the-middle attacks.
Why Use Two-Factor Authentication?
Logins via the long-accepted username and password method have grown increasingly insecure. Unfortunately, many users make use of the same username and password or rotate through a small number of login combinations. This makes it easier for hackers who might have gained access to user data in the data breaches we seem to hear about almost daily.
Once a bad guy has your login to one website or online service, they consider it a good possibility that you may have used that same login information on other sites and services. Hackers can then try to use the login information to gain access to a user’s account on multiple websites, including banking, credit card and shopping sites.
Two-factor authentication makes it much more difficult for hackers to access your accounts and sensitive personal information.
Services that Use Two-Factor Authentication
In this section, we will be looking at some of the online services and other companies that use two-factor authentication (TFA) to verify the identities of their users when they log in.
We’ll be taking a look at how Facebook, Twitter, Google, Apple and Microsoft make use of TFA. They each use the process a little differently from each other. For each company, we will look at how you can set up 2FA for use with the services, and how it works for logins.
When you set up two-factor authentication for your Facebook account, you’ll be asked to enter a special security code or confirm your attempt to log in each time you (or someone else) try to access your Facebook account on a computer or mobile device that Facebook doesn’t recognize.
To turn on two-factor authentication on Facebook, do the following on Facebook.com:
- Go to the Security and Login Settings page by clicking the little down arrow in the upper-right hand corner of your Facebook page. Then click “Settings” -> “Security and Login.”
- Scroll down the page until you see “Use two-factor authentication” and click “Edit.”
- Select the authentication method you prefer to use and then follow the on-screen prompts.
- Click “Enable” to turn on your selected method of authentication.
Available authentication methods include:
- Text messages sent to your smartphone
- Security codes created via Code Generator
- Tapping your security key on a compatible device
- Security codes created by a third-party app
- Approving a login attempt from an unrecognized device
- Using a printed recovery code
Facebook says users can use as many authentication methods as they’d like, but at least text message codes need to be enabled, or you need to have both a security key and Code Generator enabled.
When you enable “login verification” for your Twitter account, Twitter will require you to enter both a password and a code which the service will send to your smartphone when you attempt to log into Twitter. By default, the service will send the 6-digit code via SMS text message. You can also use a third-party app for verification.
To turn on login verification for Twitter, do the following on Twitter.com:
- In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”
- Click on your Account settings and then click “Set up login verification.”
- Read the instructions there, if you wish, and then click “Start.”
- Enter your password and then click “Verify.”
- Click the “Send Code” button to add your mobile phone number. (If you already have a phone number connected to your account, Twitter will send a text to that number to confirm it.)
- Once the code is sent to your phone, enter the code in your browser and click “Submit.”
- Last, but certainly not least, click “Get Backup Code” to view a code you can use to access your account if you lose your smartphone or change your phone number. (Twitter recommends you take a screenshot for future reference.)
To use a third-party app for Twitter login verification, do the following on Twitter.com:
- In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”
- Click on the “Account” tab.
- Look under “Security,” next to Login verification, and click on the “Review your login verification methods” button.
- Enter your password and click the “Confirm” button.
- Click “Set up,” which is next to “Mobile security app.”
- Read the instructions there, if that’s your thing, and then click “Start.”
- The service may ask you to enter your password. If so, enter it and click “Verify.”
- A pop-up window will appear with a QR Code in it. Follow the instructions you’ll see there.
- The service will require you to scan the QR code to set up the third-party authentication app. It will then provide you with a 6-digit numeric code.
- Enter the code in the “Security code” text field in the pop-up window.
- Click “Done.”
Temporary Passwords
Once you enable login verification for your account on the web, the service will require you to use a temporary password when you attempt to log into Twitter on other devices, or in applications that require your Twitter password.
When Twitter detects that you need one, the service will send a temporary password via SMS text message. You can also generate your own temporary password.
When you enable 2-Step Verification for your Google account, you’ll log in using your usual password, but Google will also require you to enter a security code sent to your smartphone.
To turn on login verification for Google, do the following on Google.com:
- Visit the “Google 2-Step Verification” page.
- Click the “Get Started” button near the top-right area of the page.
- The next page offers a short explanation of how 2-Step Verification works. Read this if you wish. Click the “GET STARTED” button.
- Log in.
- Google will then ask you what phone number you’d like verification codes sent to. Verify the phone number if one is already filled in and edit it as needed. Select whether to receive the codes via text message or a voice call, then click “Send code.”
- When you receive the 6-digit code, enter it on the computer and click the “Verify” button.
- Google will then ask if you are using a “trusted computer.” If you’re on your home computer or on a work machine that only you use, check the box next to “Trust this computer” and click “Next.”
- Turn on 2-Step Verification for your Google account by clicking “Confirm.”
Apple
With Apple’s “Two-Factor Authentication” enabled for your Apple ID, you can only access your account on trusted devices. These can include your iPhone, iPad or Mac. When you sign in to a new device for the first time, you’ll need to provide your password and a 6-digit verification code that Apple will display on your already-trusted devices.
To enable Two-Factor Authentication for your Apple ID, do the following:
If you’re using iOS 15 or later:
- Go to “Settings” -> “[your name]” -> “Password & Security.”
- Tap “Turn On Two-Factor Authentication.”
- Tap “Continue.”
- Enter the phone number where you want to receive verification codes when you sign in. You can choose to receive the codes by text message or automated phone call.
- Tap “Next.”
- Enter the verification code to verify your phone number and turn on two-factor authentication.
If you’re using iOS 10.2 or earlier:
- Go to “Settings” -> “iCloud.”
- Tap your Apple ID -> “Password & Security.”
- Tap “Turn on Two-Factor Authentication.”
- Tap “Continue.”
On your Mac computer, if you’re using macOS Monterey 12 or later, do the following:
- Click on the Apple logo in the upper-left-hand corner of your Mac’s Desktop.
- In the pull-down menu that appears, click “System Preferences.”
- Click “Apple ID.”
- Click “Password & Security” under your name.
- Next to Two-Factor Authentication, click “Turn On.”
If you’re using Mac OS X El Capitan or later, do the following:
- Click on the Apple logo in the upper-left-hand corner of your Mac’s Desktop.
- In the pull-down menu that appears, click “System Preferences.”
- In the System Preferences, click the “iCloud” icon.
- On the iCloud screen, click “Account Details.”
- Click “Security.”
- Click “Turn On Two-Factor Authentication.”
Microsoft
If you enable the Two-Step Verification process on your Microsoft account, you’ll be required to enter your password and a security code that you’ll receive via an email address, a phone number, or an authenticator app.
To enable Two-Step Verification for your Microsoft account, do the following:
- Go to the Microsoft Security Basics website and sign in using your Microsoft account information.
- Click the “more security options” link.
- Under “Two-step verification,” click “Set up two-step verification.”
- Continue with the setup process until you reach the finish line, then click “Done.” Microsoft may ask you to provide a verification code, which you will receive either via SMS or an alternate email address. Once you’ve completed the signup process, you’ll receive an email confirmation from Microsoft at your alternate email address.
What Else Do I Need to Know About Two-Factor Authentication?
Always Use Two-Factor Authentication on Your Email Accounts
So, which of your email accounts is the “most important account” that you should enable two-factor authentication on?
Answer: it’s any and all of them. Whether you use your email account for business or pleasure, it doesn’t matter. Hackers can cause you all kinds of grief if they can take control of your email account.
Think about it: how many websites or services have you signed up for over the years that ask you for your email address? Now, how many of those websites use your email account as your username? The mind boggles.
Even websites that don’t use your email for login purposes still use it as a contact method to reset your password if you forget it.
BAM! With your email under their control, hackers can start resetting the passwords that protect your important accounts. Accounts like the ones you have on your bank’s website, your credit card issuers, your favorite online merchants…
UGH! And believe me, it isn’t any fun to try to get a mess like that sorted out if it happens!
Protect Your Financial Accounts
Check with your bank or credit card issuer to find out if they offer two-factor authentication for when you’re logging into your account.
While not all banks or credit card companies currently offer 2FA, many do. Chase, Bank of America, Barclays US, Ally Bank, Wells Fargo and Capital One come to mind as financial institutions that offer 2FA to their customers.
If you’d like to quickly check on whether your financial institution provides two-factor authentication to protect your account, visit the Two Factor Auth website.
There, you can check their list to see whether or not your firm protects you with 2FA, and if they do, what types of authentication they offer. The website offers lists covering backup providers, banks, cloud computing providers, communication firms and cryptocurrency websites.
One Password to Rule Them All
Perhaps the most important password you’ll ever use is the one that unlocks the encrypted vault that holds all of the passwords you’ve saved in your password manager app. Make sure your password app supports two-factor authentication.
Quite a few password managers support 2FA, including 1Password, LastPass, Dashlane and RoboForm.
Never Mark Your Device or Computer as “Trusted”
Many of the websites that you’ll log into via two-factor authentication allow you to mark your computer or mobile device as “trusted.” This disables two-factor authentication on the device, allowing you to log in using only your password.
Do not do this! Marking a computer or device as “trusted” defeats the purpose of two-factor authentication, which is to protect you and your personal and financial information.
While going the trusted way might make future logins a bit easier, it also makes it easier for the bad guys to access your login-protected info if they’re ever able to get their hands on your device.
Of course, you don’t have to worry about that, right? No one ever loses their laptop or mobile device, or ever has one of them stolen, right? Right? (Now ends the “sarcasm” portion of our program.)
What Happens If I Lock Myself Out?
If you use your smartphone for the second factor in your two-factor authentication logins, it’s logical that you might worry about losing your mobile device and getting locked out of your accounts. Luckily, most modern 2FA systems allow you to add a second phone number or even a second email address for just this reason.
Even if you lose your smartphone or another mobile device you use for authentication, you can usually get a security code via a voice call to your landline or second phone, or to an alternate email address.
An alternative method of protection against getting locked out that some companies provide is a special code that you can print out and keep in a safe place. While this sounds old-fashioned, a piece of paper could save you a lot of hassle someday. (Don’t just copy the code and save it to your device. Think about it for a moment, and you’ll understand why you shouldn’t.)
How Do I Find Out If a Website Supports Two-Factor Authentication?
While we’ve covered the fact that many financial, social and cloud storage websites and services offer 2FA, there are also many websites connected to other industries that also offer protection to their users.
Authy’s guide lists websites and services that work with its 2FA app. The list also indicates sites and services that will work with other 2FA authentication methods.
Action Steps
Two-Factor Authentication is a great way to help ensure that your online accounts remain secure, keeping your personal and business information away from the bad guys. With just a few steps, any user can make it tougher for hackers to steal their accounts.
Turn on Two-Factor Authentication When Possible
If any website, service, email provider or anything else you access online offers Two-Factor Authentication (2FA), enable it. Two-Factor Authentication ensures that even if another party learns your login information, they will not have enough information to access your accounts.
By requiring a second action on your part to log in (a login code sent via email, text message or a code from a token generator), 2FA makes it much more difficult for unauthorized parties to access your accounts.
Use a Password Manager that Supports Two-Factor Authentication
If you’re not using a password manager to protect and keep track of your online logins, get one now!
Many password managers are compatible with 2FA, making them a great way to easily log in to your favorite websites and other services while also protecting that valuable login and its associated personal and business information.
Never Click the “Mark This Device as Trusted” Box on a Website
While going the “trusted device” route might make future logins easier for you, it also makes them easier for anyone who might find or steal your laptop or mobile device. This basically defeats the purpose of 2FA, which is to protect your logins and your information.
Lock Yourself Out of a Website? You Can Fix That!
It’s understandable that you might worry about getting locked out of a website if you use two-factor authentication. What happens if you lose your mobile device and can’t receive the 2FA code?
Most 2FA systems allow users to add a second phone number or a supplemental email address for just this type of situation. Even if the second phone number is a landline that’s not text message-compatible, many two-factor authentication systems can supply an authentication code via a voice message.
Many services can also provide a special code that you can print out and save in a safe place. Sure, it’s old school, but you’ll appreciate it if you need it. As I’ve mentioned before, don’t just copy and paste the code to your device’s notes app. If you lose the device, then you lose the code.
Check to See If Your Favorite Website or Service Supports 2FA
While not all websites and other online services provide a two-factor authentication option to their users, more of them are adding the option all of the time. If you’re curious whether or not your favorite website offers 2FA, you can visit Turn It On.
Turn It On allows you to search for information on whether or not a particular website or other online service offers the extra layer of security. In addition, the website provides step-by-step instructions for enabling 2FA on websites that offer it.
Double Up on Your Protection
Two-Factor Authentication provides the additional layer of protection for your online accounts that makes a real difference when keeping your valuable personal and business information safe from prying eyes.
By taking just a few moments on each website, you can easily add another wall between your information and the bad actors that would love to get their hands on it.
What is Two-Factor Authentication FAQs
How Does Two-Factor Authentication Increase Security?
Two-factor authentication requires users to not only enter a username and password to log into their account, but also a passcode that is sent to a confirmed email address or phone number, or that is generated by a trusted authentication app.
Are fingerprints used for two-factor authentication?
Yes, fingerprints can be used for two-factor authentication. A user’s facial features, hand shape, iris structure, voice, and other biometric features can also be used for two-factor authentication. All of these include a large number of unique data points, making them difficult to replicate.
Does two-factor authentication have a recovery key?
Yes, in most cases you will be given a recovery key that can be used to access your account if needed. Be sure to copy the key and save it in a safe and secure place. If you do not have the key when and if it is needed, you may be permanently locked out of your account.
Zero Trust is an IT security model that requires all users and devices to be authenticated and authorized to access network resources, applications, and more. 2Fa is an important component of Zero Trust, as it adds a layer of security when accessing a protected resource by requiring additional factors to prove the user’s identity.
Can I turn off two-factor authentication after I've turned it on?
Yes and no as it depends on your device, website or software. This is because two-factor authentication is a security measure that is meant to stay in place once it has been enabled. Turning it off would defeat the purpose of having it in the first place. On Apple devices, there is no way to turn off two-factor authentication once it has been enabled. So if you've turned it on, you'll need to keep it on.
What is the strongest 2FA method?
There is no single answer to this question as the strongest 2FA method depends on the specific needs of the user. Some of the more common methods include using a SMS verification code, using a third-party authentication app, or using a physical security key.
The best method for you will depend on your personal preferences and level of security needed. For example, if you want maximum security then a physical security key would be the best option, but if you are looking for something that is quick and easy to use then SMS verification would be a better choice.
Why Is It Important to Turn On 2FA?
I strongly recommend enabling two-factor authentication (2FA) whenever possible. 2FA increases the security of your accounts. Even if someone guesses your password or finds it in a data breach, 2FA makes it next to impossible for them to access your account.
With 2FA enabled, anyone that attempts to log in will be required to provide a second piece of information in addition to a password. In many cases, this is a code number or phrase that will be provided in a text or an email or a code generated by an authentication app. They may also be required to provide biometric information, such as a fingerprint or facial
Contents [hide]
- What Is Two-Factor Authentication?
- Why Use Two-Factor Authentication?
- Services that Use Two-Factor Authentication
- What Else Do I Need to Know About Two-Factor Authentication?
- Action Steps
- Double Up on Your Protection
- What is Two-Factor Authentication FAQs
- How Does Two-Factor Authentication Increase Security?
- Are fingerprints used for two-factor authentication?
- Does two-factor authentication have a recovery key?
- What is zero trust, and how is 2FA related?
- Can I turn off two-factor authentication after I've turned it on?
- What is the strongest 2FA method?
- Why Is It Important to Turn On 2FA?