What is two-factor authentication and how to use it?

Cyber criminals are always on the prowl. Two-factor authentication is one of the most effective ways of protecting your online accounts. It helps prevent hackers from getting their hands on your money and personal data – even if they have your password.

Cyber criminals are always on the prowl. Two-factor authentication is one of the most effective ways of protecting your online accounts. It helps prevent hackers from getting their hands on your money and personal data – even if they have your password.

Holly Niblett
From the Digital team
4
minute read
Do you know someone who could benefit from this article?
Posted 11 DECEMBER 2020

What is two-factor authentication?

Two-factor authentication, or 2FA, adds an extra layer of security to the login process online. It’s a simple way of confirming your identity twice to reduce the risk of you being hacked.

There was a 34% rise in hacking incidents in the UK in the year ending June 2020. And the coronavirus crisis has only made cyber attackers hungrier for people’s passwords. That’s why a growing number of websites are using 2FA to step up protection.

You’ll probably have already used 2FA if you’ve set up a new Google account or tried logging into your online bank account from a new laptop, for example.

How does two-factor authentication work?

Two-factor authentication is so named because it requires a second layer of security to log into a website or access an online account.

You’ll still find that, with most websites, all you need is your username (or email address) and password to log in. These use one-factor authentication because only the password secures the account.

A 2FA login works by combining your password with something else you have that can confirm your identity, like your smartphone or fingerprint.

Technology is advancing all the time on this but, in most cases, you’ll start by entering your username and password into a website. You’ll then be sent a six-digit code via text message to your mobile phone. This code is called an authenticator, or sometimes it’s known as a passcode or verification code. You can only finish signing into the website by entering the code that appears on your mobile.

Two-step authentication is most commonly used by online services that handle sensitive data, including banking and financial services, e-commerce, social media and business applications.

What types of 2FA are there?

There are several kinds of 2FA authentication available, but these are the ones you’re most likely to come across:

  • SMS: You receive a text message giving you a code that you must enter into a website or account before you can access it.
  • Biometrics: With many of the newer smartphones and tablets, you can verify your identity through a fingerprint or face scanner to log into a site.
  • Authenticator apps: You download an app to your phone and scan a QR code (a type of barcode) linked to your account. The next time you log in, you’ll be asked to input a code. Simply open the authenticator app to get a randomly-generated code.
  • Hardware keys: You insert a physical security key, like a USB token, into your device before logging on. This is considered the most secure type of 2FA as it’s almost impossible for hackers to intercept.

How secure is two-factor authentication?

While 2FA is a powerful tool in keeping cyber criminals at bay, it can never be 100% bulletproof.

If a hacker is determined enough, there are ways they could bypass two-factor authentication to access your data. For instance, the account-recovery process for a lost password could be hijacked by hackers to get round two-factor authentication.

Sophisticated malware can also redirect authentication messages to a device belonging to a hacker.

But if you’re still using the password 12345 (a very bad idea), 2FA at least stops you from leaving yourself quite so open to attack.

How do you enable 2FA?

Two-factor authentication is now available on a wide variety of websites, accounts and apps.

The options for enabling 2FA will vary slightly for each site, but typically you’ll find them in the security settings for your account.

With some websites, you’ll have to confirm your login each time. Others will only alert you if you’re signing in from a new device or a different browser.

It’s worth protecting the accounts you use most often, including your email and social media. Your bank should have its own security checks for online banking and shopping.

How it works with Google

Let’s look at how 2FA works in practice. With Google 2-Step Verification, you first enter your password to sign into your account as normal. This includes Gmail. You’ll then be sent a code to your phone via text, voice call or mobile app. If you have a Security Key, you can insert it into your computer’s USB port.

You won’t have to use the 2-Step Verification again on that computer if you choose not to. You’ll only have to use it again if you sign into your account from another computer that doesn’t recognise who you are.

Some other popular sites that enable 2FA include:

  • Facebook
  • Twitter
  • WhatsApp
  • Apple
  • Amazon
  • Instagram
  • PayPal
  • LinkedIn

Compare broadband providers

Get deals in minutes and find out how much you could save.

Find and compare deals
Compare broadband providers Get a quote