Updated · Sep 26, 2022
What Is 2FA? [All You Need To Know]
Updated · Sep 07, 2022
Just what is 2FA and how does it protect you online? This article explores:
- how 2FA works
- its benefits
- possible flaws
- and similar security measures
If you’ve ever been confused by 2FA verification, here’s what it’s all about.
What Is 2FA?
2-factor authentication is a security process used both online and offline. It simply refers to the requirement of two levels of authentication before access is granted.
It is common for websites and apps to secure accounts behind a single username and/or password. This can be viewed as one factor of authentication.
Still, sometimes it’s not enough to prevent unauthorized access if these credentials fall into the wrong hands. It is increasingly common to require a second authentication method.
In theory, this could be any number of things. Commonly used second authentication factor options are:
- email or SMS security code
- physical security keys
- date of birth
- so-called ‘knowledge factor’ (the user can be prompted to answer a secret question, for instance)
2FA vs MFA
2FA security is also sometimes called multi-factor authentication. This is the exact same concept but MFA can refer to two or more factors being used.
When pitting 2FA vs multi factor authentication, having more than two factors is generally more secure. From a user experience perspective, however, this extra security step may not be worth the hassle. Moreover, three weak factors can be less secure than two strong factors.
For example, a password and facial recognition are stronger than a password and two weak knowledge factors like a mother’s maiden name or birthdate. That’s because the latter factors can be obtained by someone else via public records. On the other hand, it’s virtually impossible to use someone else’s face unless there’s an element of coercion or the recognition system itself is weak.
How Does 2FA Work?
On websites and apps, 2FA functions by adding an extra layer of security to your accounts beyond just the username and password. The second credential requires you to possess something that a hacker can’t steal easily, even if they have your username and password.
2FA is a concept, not a method. A common example of two factor authentication is the SMS or WhatsApp code PayPal occasionally asks for to verify it is really you. This is sent to the mobile number stored in your account, which only you should have access to.
Other types of 2FA that are used alongside a password include:
- email codes
- mobile authentication apps
- and authentication hardware
Why Is 2FA Better Than a Password?
Double authentication is better than a password because it offers two lines of defense. You must complete both steps to be able to log in. This means that even if someone else has your password, they still cannot gain access without completing the second step.
Passwords are often hacked. However, it is much less common for both a password and a secondary factor to be compromised and put together in the right manner by a hacker.
Technically, 2FA and a weak password are better than a stronger password on its own. However, the use of 2FA doesn’t mean you should become complacent about the safety of your passwords. It is still possible for someone to be able to use both factors.
Never use the password for your email account anywhere else. Because accessing other accounts with the same credentials is one of the first things a hacker will try once they have compromised a password. Sites and apps often use email addresses as usernames. It isn’t difficult to locate someone’s email address once a hacker has gotten hold of other information about them.
The Benefits of 2FA
There are many benefits to dual factor authentication and there’s no reason not to turn it on for as many apps, sites, and services as possible.
As a User
Password Breaches Don’t Matter as Much
Websites and businesses sometimes experience security breaches that result in databases of usernames and passwords being leaked online. Typically, this is discovered quickly at the source, and users are asked to change their passwords before being allowed back in. Some services let you check if your information has been disclosed in a leak. It’s surprising how often you’ll find your information on these kinds of lists.
These leaks tend to compromise secondary accounts where users have employed the exact same password and failed to update it after the leak.
In scenarios like this, two point authentication protects you because the second factor is still only accessible to you. Of course, you should change your passwords anyway, but the leak itself doesn’t matter that much anymore.
Prevent Fraud and Identity Theft
Not every security breach causes major harm to the victim. Many of us have throwaway accounts without much personal information on sites that we rarely use.
It’s when security breaches lead to fraud and identity theft that real problems can arise. This might result in financial loss for you and others, harm your reputation, and lead to further crimes.
In serious cases of fraud and identity theft, it can take years to clear your name and set things right. The culprit is often never found.
Taking the extra step of two way authentication is a simple way to protect yourself from cybercriminals and contribute to a safer society.
Protect Other Sensitive Personal Information
It’s not always about financial loss. A breached account can give the culprit access to other private information. The thought of someone else viewing your personal photos or conversations can be deeply embarrassing. Moreover, having those held at ransom or shared online can cause all sorts of stress and problems.
Using two factor authorization is a good way to keep your personal info private. You could even go the extra step of using a password-protected folder on your device for sensitive files or photos.
Stop Password Fatigue
Although it is wise to use a different strong password for every site, system, and app, you’ll reach a point where you cannot realistically remember them all. This is called password fatigue and commonly results in people reusing the same password. Or using easy-to-remember passwords.
As a Business
Secure Remote Work
One risk that has emerged with the increasing push towards working from home is decreased company security. Employees are introducing unsecured or compromised home devices. That’s because many of them might only be able to access the secure network on premises.
For example, a home computer might succumb to a keylogging attack, exposing work login details. Or a worker might put sensitive files on a storage device that isn’t password protected or encrypted.
There are many ways to solve this issue, such as designated work equipment and other policies. However, if everyone at home and at work adheres to the 2FA method, a security breach is unlikely.
Increase Trust in Your Business
If you run an online business, customers like to know their data is safe. Enforcing 2-factor authorization can be irritating. But users still recognize it as a necessary measure and trust you all the more.
A happy medium is to encourage its use but make it an optional setting.
Once implemented, 2FA is an automated process. Therefore, it is more cost-effective to protect your users from the beginning than dealing with the matter should a security breach occur. Even notifying users of suspicious activity costs time and money.
Similarly, if your business network is compromised internally, it could cost you a lot of money to fix. Especially if you hold any financial information.
Requiring customers and everyone behind the scenes to do a 2FA sign in to access their accounts is like an insurance policy against potential loss.
Many industries are now mandated to protect consumers’ privacy and mitigate security risks. This is often required by laws like GDPR and HIPAA that introduce specific regulatory standards.
2FA and encryption provide that basic level of security to help your business or organization comply with these regulations.
Ultimately, it’s better to do all you can for security than simply tick the box.
Types of 2FA
Now that we’ve learned the 2FA meaning and its benefits, here are some of the different types of 2FA and how they’re commonly used:
If a site uses SMS authentication, you will:
- need to provide your mobile phone number
- when you attempt to log in with your username and password, you will be automatically prompted to click a link and receive a short code by text message
- enter this code (sometimes within a set timeframe) to complete the sign-in process
This form of 2FA verification is often preferred because it does not require the extra step of installing an app. Furthermore, because you must have physical possession of the device, it’s seen as more secure than email authentication. However, phone-number-based hacks can still leave you vulnerable.
You must also remember to keep your phone on your person and update the stored phone number if you change it. Problems could also arise if your phone is:
- out of charge
- or not connected to your cellular network
2FA by email follows the same process as SMS authentication:
- enter your username and password
- a code will be sent to your email address
- copy this or enter it manually to gain access to your account
When this type of 2FA is required, the best practice is to have a different password to your email account than the account you’re logging into. Otherwise, if the password is compromised, the attacker could also compromise your email account.
An authenticator app generates a code locally on your mobile device instead of receiving it via SMS or email. Google Authenticator is one popular example. It has the same benefits as an SMS — you need to be in physical possession of the device. However, once set up, it also works even if you are not connected to your cellular network.
If a site uses this method, you will be prompted to download the authenticator app, scan a QR code, or otherwise download a secret key to your device. Some sites allow you to download this key to multiple devices and you can even print out the QR code variety for physical safekeeping.
Whenever you log in, you simply open the authenticator app and generate a new code, which is based on this unique key.
Its main strength is also its drawback. If your device is lost, damaged, or stolen, it cannot be used to authenticate your login and you could be locked out of your account.
A multi factor authentication device is a small piece of hardware using USB, Bluetooth, or NFC technology to authenticate a login. The site will walk you through how to use 2FA in this manner, but this is how it usually works:
- you’ll need to first register your device, which is often called a security key or Universal Second Factor (U2F) device
- whenever you enter your username and password, you will also be prompted to plug in or turn on your key by tapping a button that links it to your phone
- your security key generates two 2FA tokens upon registration – one public and one private
- the public token is sent to the site; then when you log in, the site sends a challenge to your key, and it signs it using the private token
- if this matches the public token, you are authenticated
U2F is not that common, and browsers have only recently included this feature natively. Nonetheless, it is one of the most secure forms of 2FA. It can only respond to the site in question, and you need to be in physical possession of the device.
It’s also convenient because you don’t need to enter any codes manually and you can store multiple sites on one device. Each identity is unique, so you cannot be tracked between sites.
The downside is that the device costs money, although the use of a regular USB stick or having the feature already built-in to smartphones is becoming standard.
Biometric 2FA is most common on mobile devices. This requires you to show your face to the selfie camera or use the built-in fingerprint sensor as a secondary authentication factor.
An increasingly popular method of biometric 2FA is used by financial apps when registering with a new mobile device. This requires the user to take a photo or short video. Sometimes an automated facial recognition process verifies your likeness, drawing from a photo ID already on file. Other times, the financial institution will manually verify the image.
Google, Apple, and some other services use push notifications to authenticate your identity. This is commonly used when logging into a service using a device that isn’t recognized. A prompt will be sent to a trusted device asking if it was you attempting to log in. Accepting this authenticates the login and adds the new device to the trusted devices list.
You only need to accept the prompt and do not need a code.
Variations of this process are used as simple warnings rather than for authentication.
Push notifications are also sometimes used as a standard two-factor user authentication method. The drawback is that it requires a data connection. In the case of ‘trusted devices’, it also requires that you are in possession of the trusted device.
How To Set Up 2FA on Your Google Account
To use the 2FA service on your Google account, do the following:
- go to your account page, at myaccount.google.com
- select the ‘Security’ option
- under ‘Signing in to Google,’ hit ‘2-Step Verification’ and then ‘Get Started’
You’ll be guided through numerous options to add a second verification step when signing into your account.
Using Google Prompts
Firstly, Google recommends push notifications, called Google Prompts. This requires a mobile device, even if you plan to use a desktop. When you attempt to log in, any Android devices or iPhones where you are already signed in will receive a notification asking if it was you. It will display the device type and location info.
Simply tap ‘yes’ or ‘no’ to proceed. Occasionally Google will request your phone PIN as the third step in this process.
Via Text Message or Automated Phone Call
Secondly, you can use a text message or automated phone call to receive a one-off verification code. This may only be sent to a number already associated with your account.
Google also has its own authenticator app that can generate a code on your mobile device, even if you don’t have mobile service.
The final 2FA method is to use a security key. Google recommends:
- the Titan
- YubiKey 5
- or the Feitian MultiPass and ePass FIDO 2-in-1 Bundle
You can also use a built-in security key within your smartphone.
To register your key, simply select the ‘Choose your security key’ option under ‘2-Step Verification’ and follow the steps. Some trusted devices will already be listed.
Because you mostly stay logged in on Google, two-factor authentication only applies when you actively log out and log back in or attempt to sign in via a new or unknown device. Push notifications are particularly beneficial because you will instantly know if someone else is trying to access your account based on the location data and device type.
2FA Best Practices
2FA, meaning two factors, is best implemented when using completely different categories of user authentication. Although there is no hard rule, these are widely accepted as:
- Knowledge – Knowing hidden information such as a password or answers to security questions.
- Possession – Something you must have access to, such as a phone to receive an SMS code or a physical security key.
- Inherence – A factor inherent to you, such as your facial features for facial recognition.
It is best practice to combine two of the above categories rather than using, for example, two knowledge factors. Moreover, 2FA is not an excuse to use a weak password like a name or common object.
The possession category comes with some obvious flaws. If you lose the device, you are unable to pass authentication. Therefore, it is best to register multiple phone numbers, use multiple apps, or have backup security keys, whenever possible.
Although it should go without saying, remember to download, print, or otherwise store your recovery codes if given the option. These codes are typically a long string of characters that act as a one-time password if you lose your phone or security key where 2FA has been enabled.
Is 2FA Secure Enough?
2FA is currently the most secure and practical form of user authentication. The prevailing hacking methods exploit human weaknesses. For example, hackers can convince cellular carriers that their phone was lost or stolen. They can then send them a replacement SIM with their target’s phone number on it.
Likewise, authenticator apps have been compromised because the user was fooled into installing malware that hijacks the device and sends the codes to the hacker. Even biometric data has occasionally been stolen from the servers that store it.
Nonetheless, these types of breaches are rare and require a high level of sophistication. Hackers typically prefer mass automated methods and weaker targets, such as those that don’t use 2FA at all. In fact, to put it into perspective, Microsoft says 99.9% of all automated cyberattacks on its systems could be prevented by using 2FA solutions.
Other Factors of Authentication
We’ve answered the question ‘what is 2FA’? Yet, what about other authentication methods? In theory, there is no limit to the number of factors you can use. However, public-facing services rarely go beyond two because the process becomes time-consuming and impractical if more factors are used.
Three-factor authentication is more common within businesses and government agencies that handle highly sensitive information.
Like in 2FA, the three factors must come from entirely different categories to qualify. For instance, it’s a bad idea to simply have three passwords.
One factor should involve knowledge, such as a password. Second, there should be a possession factor — such as a security key. And thirdly — an inherence factor, such as a fingerprint or retina scan.
Lesser-known factors include location and behavior. Location is often used in the context of geolocation, such as an IP address or using a credit card in a foreign country. Behavior refers to pattern-based passwords, like drawing a pattern on a grid.
Who Uses 2FA?
2FA security is used worldwide in virtually every industry with computer systems. Although it is very common today on the web, other uses include:
- Healthcare – Attending a doctor’s appointment requires knowledge of the time and a verifier like your birthdate or postcode upon arrival.
- Defense – As well as online, the defense industry uses 2FA in the physical world to access secure areas. This includes doors that require both a keycard and a facial recognition scan to grant clearance.
- Aviation – Pilots use security keys to access digital flight chart information, rosters, and other updates.
- Finance – ATM machines require your card and a PIN number.
In fact, the idea of two-factor authentication came even before the public accessed online services. In 1967, a Barclays bank in London unveiled the first ATM, which allowed customers to insert a cheque in their ‘possession’ and enter a PIN that only they ‘knew’ to cash it.
Two decades later RSA began selling the first two-factor security key fob often used by large corporations and government agencies.
Today we looked at the definition of 2FA, how the protocol works, and why everyone should use it. While it’s an extra hassle, when weighing up two-factor authentication pros and cons, it poses a massive improvement over using only a password.
Now’s as good a time as any to check your accounts and turn on this feature!
What are the two factors used in two factor authentication?
2FA stands for two factor authentication, meaning there are two aspects to the security process. The two factors used in two factor authentication vary, though one of them is almost always a password of some kind.
The second factor is commonly:
- a code sent by email or SMS
- a security token
- or biometrics
Mobile apps often use the latter due to built-in mechanisms for fingerprint and facial scanning.
What is a 2FA code?
A 2FA code is a secondary factor in authorizing a login. Depending on your chosen settings and the individual app or website, you will receive either an email or SMS text message. This is sent after you correctly enter your username and password to sign in.
You must enter this code before access is granted. In some cases, there may be a timer associated with the code. Once it runs out, the code expires. You will then need to click an option to resend the code again or repeat the entire login process.
How to enable 2 factor authentication on Fortnite?
To get 2FA on Fortnite, go to your ‘Account’ page and ‘Password and Security’ tab on epicgames.com. Click on ‘Two-factor authentication’ and choose between:
- a ‘Third-party authenticator app’
- or email
If you use SMS or email, a simple code is sent to you after entering your login credentials. You should enter this code to complete the process.
If using the app method, Epic Games recommends:
- Google Authenticator
- Microsoft Authenticator
- or Authy
You must download this on a mobile device and scan the QR code given by Epic. Then, when you log in, use the security code generated by your app as an additional step.
It is important to enable 2FA on Fortnite to send gifts and take part in competitive events. Once it’s enabled, you’ll also receive the Boogie Down emote as a thank you.
Is two factor authentication good?
Yes, for general use, two part authentication is the best method of security. It is much stronger than just using a password.
For example, if a hacker somehow obtains your username and password to a website, a secondary factor keeps them locked out. They would also need access to your phone, email, biometrics, authentication device, or whatever secondary factor is required. All of this takes considerably more effort on the hacker’s part and makes a breach unlikely to occur.
Does 2FA cost money?
No, 2FA does not usually cost money for the end user. 2FA only costs money for the end user if they use a hardware-based security key. That said, it may cost developers and businesses to implement 2FA on their sites, apps, and services.
What is 2FA on Discord?
2FA on Discord is an optional security measure. It requires you to use either the Authy or Google Authenticator apps to add a second step after successfully entering your login details.
To set this up:
- you must have access to a mobile device
- go to ‘My Account’ and tap the ‘Enable Two-Factor Auth’ button
- you will then be prompted to download either app and then scan the given QR code
- this links your device to Discord; whenever you log in, you must open the authenticator app on this device to generate a unique code, which is used alongside your login credentials
This process makes sure your device stays well-protected. And after all what is 2FA if not a way to secure your devices and information?
A qualified journalist and longtime web content writer, Keelan has a passion for exploring information and learning new things. If he's not writing or pushing his own brands, you'll find him watching pro wrestling or trying not to rant about politics online.
Latest from Author
Your email address will not be published.