What is Two Factor Authentication? (2FA)

Two-step verification can add additional security to your password

A good password will only protect against certain types of hacker - add Two Factor Authentication to make your accounts really secure.

No matter how strong your password is, it won't matter if it's leaked by a website or stolen by a virus. Two Factor Authentication exists for this reason by giving an extra hurdle for hackers to overcome.

Sometimes you may also see it called "Multi-Factor Authentication" (or MFA) - it's exactly the same thing.

Jump straight to topic:


What exactly is Two-Factor Authentication (2FA)?

Two-Factor Authentication (or 2FA for short) is an extra check - in addition to your password - that's used to verify you are who you claim you are.

An RSA token providing a two factor authentication code

You might also see the term Two Step Verification (2SV) used as well. Whilst this is technically slightly different to 2FA/MFA, both concepts are similar in that they involve an extra step to just a password. So whether a website calls it 2FA, MFA, or 2SV it doesn't really matter - it's a great way to improve our security!

The secondary check used can vary but often involves having to type in a single-use code in addition to your regular password. This code could be sent as a text message, it could be generated by an app on your phone, or it could be displayed on a small device given to you in advance (banks often do this).

This works because any hacker would now have to find out this code in addition to your password, something that is much more difficult to pull off.

Two Factor Authentication is not a substitute for having a strong password - for the best protection on your accounts you need to use both.


When is it used?

Two Factor Authentication checks are often used when a website perceives an increased security risk, for example if you're logging in from a different computer to normal (Facebook use Two Factor Authentication for this purpose), or when you try changing your delivery address on a shopping website. Some sites (banks for example) might even ask for this security code every time you login.

It’s worth enabling this extra security layer on your accounts when a website offers it - if your password were ever to be stolen then this extra security can still keep the attackers out.


What else do I need to know?

There are several ways you can get 2FA codes for logging into your accounts:

  • Sent as a text message;
  • From a special app on your phone (such as Google Authenticator);
  • Displayed on a little physical device.

There are other methods too but these are the main ones.

Not all methods are as secure as each other....

In the last few years some criminals have learnt how to intercept codes sent by text message, and have used this against some companies, such as the Metro Bank in the UK and Reddit.

Intercepting these messages still takes skill & determination and is extremely rare, but if you are looking for the best security (for your bank account, for example) then you should opt for using an authenticator app or code-generating device if you can - and not text message.

2FA codes generated on a phone app or physical device are far more secure than those sent as a text message.

That said, you shouldn't avoid using 2FA just because of this. Enhancing your account security with 2FA codes sent by text is still far more secure than not doing this at all!


How do I set 2FA up?

To set up Two Factor Authentication on the websites you use check their own help pages:

If your favourite site isn’t listed here then try searching on their website for "2 factor", "login approvals", or "account verification". You can also check on the great website 2fa.directory.

When setting up 2FA be sure to get & safely store any recovery codes (the website should tell you about this), just in case you ever lose your phone or code-generating device!


Have any feedback on this page? Let us know - [email protected]