Blog/Infosec 101/

What is two-factor authentication?

Jul 14, 2020

What do Facebook, Instagram, LinkedIn, and Twitter have in common? They all offer two-factor authentication (also referred to as 2FA) — an extra layer of security designed to protect your accounts. Let’s dive deeper into two-factor authentication and learn how it works.

What is two-factor authentication (2FA)?

There are three types of authentication:

  • something you know (a password, PIN, or pattern);
  • something you have (a token, card, or phone);
  • something you are (a fingerprint, voice, or retina).

When you only have to enter your username and password, you are using single-factor authentication. Two-factor authentication includes one more step in the login process: after entering their credentials, users also have to verify their identity by typing a code received via SMS or authentication apps, such as Google Authenticator, Authy, or Duo.

Two-factor authentication is used extensively in banking operations, but is disabled by default in many other services — users can choose to turn it on manually.

Why should you enable two-factor authentication?

It’s enough for a hacker to know your name and email to build your online profile and crack your password. In 2019, Facebook experienced several data breaches, exposing data of more than 800 million users. Sensitive information obtained through major breaches usually ends up available for sale on the dark web.

With two-factor authentication, your account remains secure even if your password gets exposed.

But two-factor authentication isn’t a digital fortress — it has its vulnerabilities. SMS codes can be intercepted, and your smartphone might be stolen and used to log in to your accounts.

Do people use two-factor authentication?

The short answer is no. The reason why many people avoid using two-factor authentication is that it takes extra time. Google has revealed that only 10% of accounts linked to its services enable two-factor authentication. Surveys also suggest that half of Americans have never even heard about the feature.

Service providers have been trying to persuade people to use two-factor authentication, but without luck. They’re also afraid that if they force it upon users, they might leave for their competitors.

When it comes to enterprises, it’s a whole different story. Companies own so much sensitive data that they don’t want to take chances and risk getting hacked. That’s why many of them leave no choice to employees but to use two-factor authentication.

Password is still the king

While two-factor authentication might seem like a lifesaver, it is important to understand that it doesn’t replace passwords — it’s just an additional step to boost your online security. So you should still use a strong password consisting of letters, numbers, and special characters. You don’t need to be a hacking expert to crack weak passwords, like “mycatbob” or “password200”. However, if your password looks more like k!kf8#764A*QY\%%TYd, it will be much harder to crack.

What happens if I lose my phone?

If you lose the phone you used to authenticate yourself, it’s not a big issue, as service providers support backup codes. We recommend printing those out and keeping them in a safe place.

Or try NordLocker. It’s an easy-to-use app that encrypts your files and keeps them securely locked on your computer or cloud storage. You can add all the sensitive files to your digital vault and access them whenever you need them.

Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.