Two-Factor Authentication explained

Computer screen with mobile 2FA

You may have occasionally run across the term ‘2FA‘ or to give it its full name ‘two-factor authentication‘.

Some of your favourite apps might be offering this. If you have seen it, but don’t know what it is or why you should use it – that is what I am going to explain today.

2FA has become popular in recent years, and it is a common method of adding an extra layer of account security.

After reading this article, you’ll know precisely what 2FA is and be a more secure internet user as a result.

2 Factor Authentication – What is it?

2FA is a security system that represents an extra layer in the security.

It works by adding an extra barrier to your system preferences when accessing your user accounts.

It can be in the form of a randomly generated pin via an authenticator app, an SMS message, voice calls, or a hardware key often called ‘a security token’ or a ‘hardware token’.

Rather than simply entering your usernames and password you need a further authentication code or key.

It is now considered one of the best ways of protecting things. However, not enough regular internet users outside the tech world are making use of it.

2FA Phone

By using 2FA or multi-factor authentication solutions (more than two, also sometimes referred to as MFA), you reduce your chances of becoming a victim of a random account attack.

However, it remains questionable whether it would be enough to protect you if someone personally targets you.

Two-step verification, for example, might come as a text message, with a code being sent to your mobile phone via SMS. However, those who are targeting you personally might be intercepting your texts, in which case this authentication method might not work.

Why do I need 2FA?

You may think Two Step verification or multi-factor authentication isn’t all that necessary but as the following statistics show, that couldn’t be further from the truth.

According to a Gallup study, it appears that Americans have become increasingly aware of the dangers of cyberspace.

71% of Americans are worried about their financial or personal data being stolen in a hack. On a similar level, 67% of Americans worry about becoming a victim of identity theft.

Meanwhile, only 24% are worried about being affected by terrorism, and less than 20% about being sexually assaulted or murdered by partners or others.

Silhouette of hooded hacker with laptop

Over 533 million Facebook records leaked in April of this year alone and the number of hacking attacks and the cost of dealing with them is growing every year.

It’s estimated that 91% of cyber attacks are a result of phishing emails, while 92% of malware is delivered to your email address.

Improved security is badly need, which is why you should be considering 2FA.

What types of 2FA are there?

The development of Two Factor Authentication (2FA) and multi-factor authentication (MFA) has led to the invention of several different methods of confirming your identity using authentication solutions, the most common including:

1) App

One of the best examples of a two-step verification authentication process is Google Authenticator, which is an authenticator app that you can configure in a way that will prove your identity when used.

This authenticator app is a handy way to gain access without having to rely on verification codes and messages, emails and user passwords, and alike.

You would, of course, need your phone or tablet handy when logging in to this authenticator app ad using the service.

2) Physical Key

Alternatively, you could carry a Physical Key with you, such as the YubiKey. These types of security keys can also be used for confirming your identity when needed by connecting it to the computer or with newer versions to your phone.

2FA Key

3) SMS Message

SMS message 2FA is one of the most common solutions for protecting your online sites and user service data.

It is effortless, and when you try to access your account, you are prevented until you enter a code that is sent to your phone number via a text. Sending an SMS message to a phone number with a code is often used by banks, social networks, and many others.

Top Tip

The method of using your phone and a code is being advised against more due to the increasing ability to intercept it.

What websites use 2FA?

Two Factor Authentication (2FA) and to a lesser extent multi-factor authentication (MFA) solutions are becoming a standard form of protection, and many different websites and services are using it.

Google uses it, and so do online banks, file storage services, game shops such as Uplay, and others. Any business that is serious about security should be using it.

Facebook has been offering it for years now, as well as other social networks. Payment services like PayPal and Coinbase also have it, and many others including Apple.

However, keep in mind that, while many offer it – not all of the sites and services have it yet. You cannot use 2FA on every site.

You can check whether a website or a service you are interested in has 2FA by using the site 2FA Directory.

Frequently Asked Questions

Is 2FA vulnerable to hackers?

We already mentioned that 2FA could be bypassed in some instances. As with everything, nothing is infallible or “unhackable”. Data breaches happen.

For example, texts can be intercepted these days by anyone with a computer and some hacking knowledge. If you are a CEO of a major corporation, using SMS-based 2FA security might not be the best course of action.

Twitter CEO, Jack Dorsey, knows this all too well in recent years since his own Twitter account was hacked. While this was a consequence of a SIM swap attack, it is one of the limitations with a text-based two step verification.

Twitter logo on tablet

Famous former-hacker Kevin Mitnick even showed his method of bypassing 2FA with a tool that can be weaponised and used for accessing almost any site.

But text-based 2FA is still better security than not using anything.

As long as cyber-criminals are not focusing on you specifically, 2FA should be good enough.

Why did passwords become so vulnerable?

Tech has progressed from computers the size of rooms to a device you can fit in your pocket, the means by which we log into our devices and online accounts – passwords – has remained largely the same.

There are lots more security alternatives to a password available to us, but still, the password remains the most common means of logging into a hardware device.

Yet passwords are now more vulnerable than ever.

The technology to crack a password has come on in leaps and bounds while the guidance on how to set a secure password has not.

The truth is that passwords have always been vulnerable. But in recent times, that vulnerability has grown as a result of three main reasons:

1. Multiple accounts

So much of our lives is conducted online these days and every online account we have requires a secure password.

We are opening more and more accounts than ever before.

The result is that we end up with far too many passwords to remember and this results in one of two things.

Either we recycle them on multiple sites or we use weak ones that are easy to remember.

Hackers love either of these trends as it makes it far easier to break into an online account. And once they have one password, there is a good chance they can access others too.

2. Memory lapse

If you examine surveys of the most popular online passwords and surveys of hacked ones that have leaked online, you will notice an alarming amount of overlap.

This is because an awful lot of people are still using simple, easy-to-remember ones like 123456, qwerty, 111111, and password.

These are also simple for even a novice hacker to guess too. If you are using passwords like these, you might as well not have a password at all.

3. Security fatigue

A lot of people will set off with good intentions and try to set a strong password on all their accounts.

But the influx of news about data hacks can have a negative impact and the sheer volume of passwords they start to have makes it feel like an impossible task. It is easy for security fatigue to set in and when it does, many people will revert back to their old and insecure ways.

What are authentication factors?

There are a number of different methods by which devices and accounts can authenticate their users in 2FA or multi factor authentication systems.

The most common method depends on what is known as the ‘knowledge factor‘. This usually means a user must have knowledge of a password or pin number in order to access an account or device.

Two-factor authentication methods usually apply the knowledge factors in the first instance but then follow this up with either a possession factor or an inherence factor.

These different methods of authentication are often not explained very clearly to users who tend to perceive two-factor authentication as a bit of an annoyance. But with more understanding of the methodology behind it, it is easy to understand why it works:

The most common authentication factors are:

Knowledge Factor – This is something that an individual knows such as a pin number, a password, or the answer to a security question.

Possession Factor – This method verifies something secure that is in a user’s possession. The most common method of this type is a verification code being texted to a smartphone. It can also include things like security hardware tokens, ID tags, or an authentication app.

Inherence factor – This method is perhaps more commonly known as a biometric factor and requires something inherent to the user’s physical person.

It could be a fingerprint, a retina scan, a voice pattern check, or a facial recognition scan. It can also include things like keystroke dynamics and other things classed as behavioural biometrics.

Location factor – This method usually focuses on the location where the login attempt is being made from.

Often it is done by monitoring a user’s IP address or another type of geolocation data such as GPS data from a mobile phone. It is often enforced by limiting the places that you can log in from or the number of logins allowed from a certain location.

Time factor – This restricts logins to a certain time window and prevents anyone from being able to access the account outside that approved window.

The last two methods on this list are employed far less frequently as the first three in two-factor authentication.

However, for particularly security-conscious programmes, it is not unknown for multifactor authentication to require three or even more of these methods to be required to gain access to an account.

What are Push notifications for 2FA?

Push notifications are a method of authentication factor that doesn’t require a password. Instead, a notification (instead of a code) is sent directly to a secure app that has been download onto the user’s smartphone.

That app then notifies the users that an authentication attempt is happening.

The user is able to look at the details of the attempt and can choose to either approve or refuse the attempt through the app. Usually, this can be done with a single tap.

If approval is granted on the app, a request is then sent via a server back to the device where the login attempt is being made and that user can now access the account or device.

Push notification authentication is an effective way of preventing man-in-the-middle attacks, unauthorized access, and phishing and social engineering attacks. However, if the device with the app installed on it is hacked, this method of authentication has also been breached.

Push notification authentication is more secure than many other forms of authentication but it is not perfect.

As well as the risk of the device hosting the app being compromised, users could also inadvertently approve a fraudulent hack either by just tapping approve without looking or accidentally approving the wrong notification.

Will two-factor authentication protect me?

Two-factor authentication is not perfect. It can and has been compromised as far back as 2011 when RSA admitted that its SecurID authentication hardware tokens had been breached.

Two-factor authentication is also unable to prevent accounts and devices fall victim to different types of attack. Account recovery is one of the most vulnerable areas of two-factor authentication. This is the system where you can reset your passwords or user names if you have forgotten them.

Going through this system can make it possible for hackers to either disable two-factor authentication altogether or reset the details on a device that is already in their possession.

But authentication is still significantly more secure with two-factor authentication enabled.

Even the most novice of hackers can compromise a password-protected account with relative ease. With two-factor authentication, most hackers will be deterred.

The future of authentication

It is generally accepted that passwords no longer offer a sufficient level of security or an adequate user experience for the modern online world.

The standard advice to keep your passwords as secure as possible is to use a password manager but even these tools are based on the concept of a password database for each user which is, by its nature, insecure and outdated too.

This means that it will not be long before a reputable tech business are looking beyond passwords for the next generation of secure authentication.

Passwordless authentication will become more and more common in the years ahead. This approach still gives users control over access. In a corporate setting, it also allows the IT management teams to control and monitor who is and isn’t accessing them.

Biometric authentication is the most recognisable form of biometric identification we have right now. This technology brings with it its own privacy dilemmas but does overcome many of the problems of passwords.

Another example is secure protocols. Protocols are a set of standards that make communication between an ID provider and service providers more straightforward.

When an employee is authenticated to the identity provider, they can also be authenticated to access agreed services and devices.

A visual guide to Two Factor Authentication

Other ways to stay secure online

Enabling 2FA is a significant first step to increasing your user authentication data security, but there are other measures you can take including:


2FA came to be as another security layer that is supposed to confirm your identity when accessing your accounts.

However, over the years, criminals have found methods of bypassing some security systems.

While some 2FA systems are susceptible, it is much safer to use them than not.

Think of it like houses, which house would a burglar target? Two identical houses, one with an alarm and one without.

Whatever method of 2FA you choose, be it an app for your mobile devices, physical key fob or message-based, enabling it will keep everything that extra bit secure leaving the bad guys to go for the weaker low hanging fruit.

Illustrations © Yuliana92 & Ekinyalgin |

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.