Two-Factor Authentication – what is it and how does it work?

Two-factor authentication is one of the most effective ways of securing an online account and will protect you from the majority of the most common account-hacking scams on the Internet. Yet it remains one of the most overlooked security tools.

So here we go into what two-factor authentication is and how it can protect you and thwart the crooks trying to scam you.

So what is Two-Factor Authentication then?

All Internet users will be all-too-familiar with the typical process of logging into an online account. You go to the website’s login page, type in your username and password, click login and voila, you’ve logged into your account. In fact most times it’s even easier than that, because your browser has remembered your password and username for you and either keeps you logged in or autofills the login textboxes.

You’ll notice that in this scenario, the single (only) level of security is the password (since username’s are generally considered public information.) Consequently this scenario is called single factor authentication.

The downside to this is clear; if a crook obtains your password, they’ll have access to your account. And while a password was once considered secure, there are so many commonplace scams – such as phishing attacks, malware, social engineering schemes, data breaches and credential stuffing attacks – that have become incredibly effective at stealing passwords.

Two-Factor-Authentication (or 2FA) introduces a second level of security to an account. It means that to log into an account, a user needs to verify their identify twice. Most popular websites and apps support 2FA. You will need to setup 2FA for each account you want to secure, and you need to set it up using the website or app’s own security options.

For most home users, this means complementing a password with an additional method of verification. What that is will depend on the user’s own preferences and the options available for a specific website or app. We take a look at some of the common options next.


Tip: One of the most common online scams targeting home users are phishing scams aimed at stealing your password. 2FA prevents crooks from accessing your account if you fall for this scam.

Sponsored Content. Continued below...




Types of Two-Factor Authentication

What type of 2FA option you have on an account depends on the account you are securing, as different websites and apps support various options. We list the most common below.

SMS Codes

The earliest and most popular form of two-factor-authentication is through using a code sent to your phone using SMS (text) message. After entering your password, the website would then ask for you to enter the code to confirm your identity.

Of course this means giving each website or app you want to enable 2FA with your phone number, which many are hesitant to do. This method is also vulnerable to SIM-swapping scams.

Authenticator App

Instead of having a code sent to your phone, you could have your device generate a code instead using an authenticator app. This is one of the more preferred options currently since it is more secure than having a code sent via SMS.

The user needs to download and install the authenticator app on a mobile device such as a phone or tablet. The same authenticator app can be used to generate codes for multiple accounts.

Firstly, a user needs to link the authenticator app to each account they want to secure (instructions will be provided by the authenticator app and/or website)


The Google Authenticator app works with most websites and apps, not just Google.

And finally, upon installation, when logging in and being prompted for a code, the user just needs to open the authenticator app and enter the code it displays.

Push notifications

This option is popular with services like Google, where you will likely be logged into multiple devices at once, such as your phone, tablet and PC. A push notification will send a notification to a second trusted device that you’re logged into, asking you to confirm that it is you trying to login on the first device.

So in this case, when trying to login, after you enter your password you will get a notification on a second device where you are already logged in. All you need to do is confirm that it is you and you’re done.

Other alternatives

While used less frequently, 2FA can also include the use of biometric data (thumbprint, iris scan facial recognition) and USB keys (e.g. YubiKey)


Sponsored Content. Continued below...




Will I need to complete 2FA every time I login?

This will depend on the website or app you are logging into. One of the perceived downsides to 2FA is the extra effort needed when logging in (having to enter two pieces of information instead of just one.)

However many websites, notably Facebook, will add each device you’ve logged into your account using 2FA as a trusted device, meaning you only need to add the extra information once. Other websites, such as PayPal, will ask you every time you login.

Is Two-Factor Authentication worth it?

The unequivocal answer here is yes. Two-factor authentication is readily available, easy to setup and use, is now widely supported and provides protection against the vast majority of online scams that target home users. Even if you consider yourself Internet-savvy, 2FA also offers protection against data breaches and credential stuffing attacks which a person can do nothing about.

While online banking will come with its own protective measures, other sites including Facebook, Twitter, Instagram, eBay, Etsy, PayPal and a whole host of other sites and apps which likely contain sensitive or personal information about you can be protected using two-factor authentication.

The specific set-up instructions will vary from site to site, but you can easily find out how to set it up and what options are available to you using the website’s help feature.

Share
Published by
Craig Haley