Two-factor authentication (often shortened to 2FA) provides a way of ‘double-checking’ that you’re really the person you’re claiming to be when you log into your online accounts, such as banking, email or social media.

When you log into an online account with a username and password, you’re using what’s called single-factor authentication. You only need one thing to verify that you are who you say you are.

With 2FA, you need to provide two things – your password and something else such as a code sent to your mobile device or your fingerprint – before you can access your account.

Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts, because knowing the victim’s password alone is not enough to pass the authentication check.

While it does require one extra step to a log-in process, it provides a much stronger defence for your account. If your password is hacked (accessed by someone else without your permission) and you have 2FA activated on your account—the hacker cannot gain access. They need both levels of authentication.

How to set up 2FA?

Some online services will automatically prompt you for a second factor when you log in. However many don’t, so you will need to activate it yourself. You’ll find the option to switch on 2FA in the security or privacy settings of your online accounts (it may also be called ‘two-step verification’).

There are several types of 2FA available based on either something you know, something you have or something you are. Examples include:

  • SMS codes sent to your phone
  • security questions set up by you, which only you would know the answers to when prompted
  • a physical device, like a security token that generates temporary access codes
  • software, such as Authenticator app, that sends a notification to your smart phone (or tablet) or provides a temporary access code. Once you’ve installed one, you can use the same app when setting up 2FA on any accounts which offer this option.
  • fingerprint scans
  • voice recognition.

Some accounts, for example GMAIL, also give you a list of backup codes when you switch on 2FA. When asked for a code you can use one of these, but each code will only work once, so you’ll need to create more when you’ve used them all. Backup codes are really useful if you need to log in without a phone to hand. You will need to store the codes somewhere safe.

It is recommended:

  • wherever possible, activate two-factor authentication (2FA)
  • use strong passwords / passphrases and keep them safe
  • do not use the same passwords across multiple sites
  • use a password manager to keep stock of all your passwords and log-in details.