Two-Factor Authentication explained

Computer screen with mobile 2FA

You may have occasionally run across the term ‘2FA‘ or to give it its full name ‘two-factor authentication‘.

Some of your favourite apps might be offering this as an option in the settings. Most social networks have it too. If you have seen it, but don't know what it is or why you should use it – that is what I am going to explain today.

The fact is that 2FA has become popular in recent years, and it is a common method of increasing security these days.

Even so, it is possible that you were not aware of it and you wouldn't be alone.

But, if you are reading this now – that will soon end. By the bottom of this article, you'll know precisely what 2FA is and be a more secure internet user as a result of it.

2 Factor Authentication – What is it?

As mentioned, 2FA is a security system that came as a result of an increase in cyberattacks.

It has been around for a long while now, and it represents an extra layer in the security of your accounts.

It works by adding an extra barrier to accessing your accounts. That can be in the form of a randomly generated pin via an app, an SMS message or a hardware key often called a ‘security token' or a ‘hardware token', but I'll cover more on the different types later.

So rather than simply entering your usernames and passwords you need a further code or key to access your accounts.

It is now considered necessary, as well as one of the best ways of protecting your accounts. However, not enough regular internet users outside the tech world are making use of it.

2FA Phone

By using 2FA you reduce your chances of becoming a victim of a random account attack. However, it remains questionable whether or not it would be enough to protect you if someone personally targets you.

2FA, for example, might come as a text message, with a code being sent to your mobile phone via SMS. However, those who are targeting you personally might be intercepting your texts, in which case this method might not work, but again we'll explore more on the limitations later in the article.

Why do I need 2FA?

You may think 2FA isn't all that necessary but as the following statistics show, that couldn't be further from the truth.

According to a Gallup study, it appears that Americans have become increasingly aware of the dangers of cyberspace.

71% of Americans are worried about their financial or personal data being stolen in a hack. At the same time, 67% of Americans worry about becoming a victim of identity theft.

Meanwhile, only 24% are worried about being affected by terrorism, and less than 20% about being sexually assaulted or murdered.

Silhouette of hooded hacker with laptop

Not to mention that over 1.76 billion records leaked in January of this year alone, the number of hackers, hacking attacks, and the cost of dealing with them is growing every year.

Finally, 91% of cyber attacks are a result of phishing emails, while at the same time – 92% of malware is delivered via email.

Improved security is of dire need, which is why you should be considering 2FA.

What types of 2FA are there?

As mentioned, the development of 2FA has led to the invention of several different methods of confirming your identity, the most common including:

1) App

One of the best examples is Google Authenticator, which is an app that you can configure in a way that will prove your identity when used. It is a handy way to gain access your accounts without having to rely on codes and messages, emails and passwords, and alike.

You would, of course, need your phone or tablet handy when logging into accounts.

2) Physical Key

Alternatively, you could carry a Physical Key with you, such as the YubiKey. This can also be used for confirming your identity when needed by connecting it to the computer or with newer versions to your phone.

2FA Key

3) SMS Message

SMS message 2FA is likely the most common method of protecting your accounts. It is effortless, and when you try to log into your account, you are prevented until you enter a code that is sent to your phone via a text. This method is often used by banks, social networks, and many others.

While common, this method is being advised against more so due to the increasing ability to intercept it.

What websites use 2FA?

2FA is becoming a standard form of protection, and many different websites and services are using it. Google uses it, and so do online banks, file storage services, game shops such as Uplay, and others.

Facebook has been offering it for years now, as well as other social networks. Payment services like PayPal also have it, and many others.

However, keep in mind that, while many offer it – not all of the sites and services have it yet. You cannot use 2FA on any website, and it must offer it as an option.

You can check whether a website or a service you are interested in has 2FA by using the site There are others not mentioned in this list, but this is pretty extensive for the significant services and sites that support 2FA.

Frequently Asked Questions

Is 2FA vulnerable to hackers?

We already mentioned that 2FA could be bypassed in some instances. As with everything, nothing is infallible or “unhackable”.

For example, texts can be intercepted these days by anyone with a computer and some hacking knowledge. If you are a CEO of a major corporation, using SMS-based 2FA might not be the best course of action.

Twitter CEO, Jack Dorsey, knows this all too well in recent days since his own Twitter account was hacked. While this was a consequence of a SIM swap attack, it is one of the limitations with a text-based two step verification.

Twitter logo on tablet

Famous former hacker Kevin Mitnick even showed his method of bypassing 2FA with a tool that can be weaponised and used for accessing almost any site.

For regular people, however, even text-based 2FA is better than not using anything.

If you are attacked as part of a more significant effort, and the hackers are not focusing on you specifically, 2FA should be good enough.

Why did passwords become so vulnerable?

Passwords have been around for almost as long as computers themselves.

But while IT technology has progressed from computers the size of rooms to devices you can fit in your pocket, the means by which we log into our devices and online accounts has remained largely the same.

There are lots more secure alternatives to passwords available to us, but still, the password remains the most common means of logging into a device.

One of the reasons that passwords are now more vulnerable than they were is this exact point.

The technology that can be used to crack passwords has come on in leaps and bounds while the guidance on how to set secure passwords has crept forward and still isn't getting through to a great many people.

The truth is that passwords have always been vulnerable. But in recent times, that vulnerability has grown as a result of three main reasons:

1. Multiple accounts

So much of our lives is conducted online these days and every online account we have requires a secure password.

We are opening more and more accounts than ever before.

The result is that we end up with far too many passwords to remember and this results in one of two things.

Either we recycle passwords on multiple accounts or we use weak passwords that are easy to remember.

Hackers love either of these trends as it makes it far easier to break into an online account. And once they have one password, there is a good chance they can access other accounts too.

2. Memory lapse

If you examine surveys of the most popular online passwords and surveys of hacked passwords that have leaked online, you will notice an alarming amount of overlap.

This is because an awful lot of people are still using simple, easy-to-remember passwords like 123456, qwerty, 111111, and password.

These passwords are also simple for even a novice hacker to guess too. If you are using passwords like these, you might as well not have a password at all.

3. Security fatigue

A lot of people will set off with good intentions and try to set strong passwords on their accounts.

But the influx of news about data hacks can have a negative impact and the sheer volume of passwords they start to have makes it feel like an impossible task. It is easy for security fatigue to set in and when it does, many people will revert back to their old and insecure ways.

What are authentication factors?

There are a number of different methods by which devices and accounts can authenticate their users.

The most common method depends on what is known as the ‘knowledge factor‘. This usually means a user must have knowledge of a password or pin number in order to access an account or device.

Two-factor authentication methods usually apply the knowledge factor in the first instance but then follow this up with either a possession factor or an inherence factor.

These different methods of authentication are often not explained very clearly to users who tend to perceive two-factor authentication as a bit of an annoyance. But with more understanding of the methodology behind it, it is easy to understand why it works:

The most common authentication factors are:

Knowledge Factor – This is something that an individual knows such as a pin number, a password, or the answer to a security question.

Possession Factor – This method verifies something secure that is in a user's possession. The most common method of this type is a verification code being texted to a smartphone. It can also include things like security tokens, ID tags, and apps.

Inherence factor – This method is perhaps more commonly known as a biometric factor and requires something inherent to the user's physical person.

It could be a fingerprint, a retina scan, a voice pattern check, or a facial recognition scan. It can also include things like keystroke dynamics and other things classed as behavioural biometrics.

Location factor – This method usually focuses on the location where the login attempt is being made from.

Often it is done by monitoring a user's IP address or another type of geolocation data such as GPS data from a mobile phone. It is often enforced by limiting the places that you can log in from or the number of logins allowed from a certain location.

Time factor – This restricts logins to a certain time window and prevents anyone from accessing the account outside that approved window.

The last two methods on this list are employed far less frequently as the first three in two-factor authentication.

However, for particularly security-conscious programmes, it is not unknown for multifactor authentication to require three or even more of these methods to be required to gain access to an account.

What are Push notifications for 2FA?

Push notifications are a method of authentication that doesn't require a password. Instead, a notification is sent directly to a secure app that has been download onto the user's smartphone.

That app then notifies the users that an authentication attempt is happening.

The user is able to look at the details of the attempt and can choose to either approve or refuse the attempt through the app. Usually, this can be done with a single tap.

If approval is granted on the app, a request is then sent via a server back to the device where the login attempt is being made and that user can now access the account or device.

Push notification authentication is an effective way of preventing man-in-the-middle attacks, unauthorized access, and phishing and social engineering attacks. However, if the device with the app installed on it is hacked, this method of authentication has also been breached.

Push notification authentication is more secure than many other forms of authentication but it is not perfect.

As well as the risk of the device hosting the app being compromised, users could also inadvertently approve a fraudulent hack either by just tapping approve without looking or accidentally approving the wrong notification.

Will two-factor authentication protect me?

Two-factor authentication is by no means perfect. It can and has been compromised as far back as 2011 when RSA admitted that its SecurID authentication tokens had been breached.

Two-factor authentication is also unable to prevent accounts and devices fall victim to different types of attack. Account recovery is one of the most vulnerable areas of two-factor authentication. This is the system where you can reset your passwords or user names if you have forgotten them.

Going through this system can make it possible for hackers to either disable two-factor authentication altogether or reset the details on a device that is already in their possession.

But while it does have its flaws, authentication is still significantly more secure with two-factor authentication enabled than when it isn't.

Even the most novice of hackers can compromise a password-protected account with relative ease. With two-factor authentication, you are not impervious to the most determined of professional hackers but most will be deterred.

The future of authentication

It is generally accepted that passwords no longer offer a sufficient level of security or an adequate user-friendly experience for the modern online world.

The standard advice to keep your passwords as secure as possible is to use a password manager but even these tools are based on the concept of a password database for each user which is, by its nature, insecure and outdated too.

This means that it will not be long before tech companies are looking beyond passwords for the next generation of secure authentication. Indeed, this process has already begun.

Passwordless authentication will become more and more common in the years ahead. This approach still gives users control over access. In a corporate setting, it also allows the IT management teams to control and monitor who is and isn't accessing different accounts.

Biometric authentication is the most recognisable form of biometric identification we have right now. This technology brings with it its own privacy dilemmas but does overcome many of the problems of passwords.

Another example is secure protocols. Protocols are a set of standards that make communication between an identity provider and a service provider more straightforward.

When an employee is authenticated to the identity provider, they can also be authenticated to access agreed accounts, services, and devices.

2FA Infographic

Other ways to stay secure online

Enabling 2FA is a significant first step to increasing your data security, but there are other measures you can take including:


2FA came to be as another security layer that is supposed to confirm your identity when accessing your accounts.

However, over the years, criminals have found methods of bypassing some of them. Like all security systems, it's an ever-changing cat and mouse game.

While some 2FA systems are susceptible, it is much safer to be securing your accounts with it than not.

Think of it like houses, which house would a burglar target? Two identical houses, one with an alarm and one without.

Whatever method of 2FA you choose, be it an app for your mobile devices, physical key fob or message-based, enabling it will keep your accounts that extra bit secure leaving the bad guys to go for the weaker low hanging fruit.

Illustrations © Yuliana92 & Ekinyalgin |

Ali Raza

Author: Ali Raza

Ali is a journalist with a keen interest in VPN usage. He is an expert in the field and has been covering VPN related topics for VPNCompare and numerous well-respected publications for many years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.