Two-Factor Authentication: Your Front Line of Defense Against Hackers

With two-factor authentication enabled, even if hackers have your login credentials, they won’t be able to access your account.

Strong randomized passwords used to be the gold standard of password security, but they’re no longer effective as your accounts’ sole protective measure.

A study by A. James Clark School of Engineering found that hacker attacks occur approximately every 39 seconds, and a 2019 DBIR report found that 80% of data breaches can be blamed on weak or stolen passwords. In other words, the security catastrophes that may have displayed your login credentials to the world were likely caused by someone else’s login credentials being compromised.

It has never been more important to secure your accounts with modern security measures, and few measures are as powerful and seamless as two-factor authentication (2FA). We’re going to take a closer look at two-factor authentication in this guide, discussing what it is, how it works, how you can enable it, and its limitations.

Quick Overview

What is Two-Factor Authentication (2FA)?

Two-factor authentication (sometimes called two-step verification) is exactly what it sounds like – it’s a process that adds a second step in the login experience to verify your identity. One common example of this is a login attempt initiating a one-time password (OTP) being sent to your phone. In order to complete your login, you’ll need to pass the second step of authentication: entering the OTP.

This makes it far more difficult for hackers to access your account – even if they have up-to-date login credentials, they’ll also need an authentication code (such as the OTP we mentioned earlier) from your authenticator of choice. There’s nothing special about having “two” authentication factors – it’s just the most common form of “multi-factor” authentication used. 

As we’ll cover next in this guide, there are many different types of multi-factor authentication and authenticators. What they all share in common is adding an extra layer of security over all of your accounts, so you can ward off hackers even if your credentials are released in a data breach or are otherwise compromised.

How Does 2FA Work?

2FA refers to any process that verifies your identity through two approved factors. As we mentioned earlier, two-factor authentication is a form of multi-factor authentication that only uses two factors. Before we can get a full understanding of how it works, we need to know what authentication factors are and the common methods that are used to deploy them.

Understanding Authentication Factors

As the National Institute of Standards and Technology (NIST) states, authentication factors can be organized into something you know (such as a personal identification number), something you have (such as a cryptographic identification device), and something you are (such as biometric authentication via facial recognition).

  1. “Something you know,” referred to as knowledge factors, require you to demonstrate knowledge of information only you should know, such as the security questions you sometimes have to answer to reset a password you’ve forgotten. More commonly, these factors include passwords, which only you should know.

  2. “Something you have,” or possession factors, can include any physical entities that you’ve authorized, such as tokens, card readers, wireless tags, and more.

  3. “Something you are,” known as inherence factors, include authentication methods such as facial recognition, voice recognition, fingerprint scanning, retina scanning, and more. These factors are almost entirely unique to the individual.

As you can see, two-factor authentication uses two of these factors: the knowledge factor (i.e., your login credentials), and either a possession or inherence factor. In the next section, we’ll break down the many different forms of authentication methods used to deploy these factors.

Common Authentication Methods

OTP is a very popular authentication method but not the only one available. Authentication can be accomplished with just about anything as long as it generates some kind of secondary verification code in a channel that you’ve previously verified. This can be your fingerprint after you enter your login credentials or a push notification sent to your phone asking if you’ve recently tried to log in.

Let’s take a closer look at some other common 2FA methods:

  1. Email or text codes: This popular authentication mode involves sending randomized codes via text or email. It is very similar to using an OTP from a 2FA app, but the codes are sent directly to you upon your login attempt. An alternative version of this method is to send an authentication link, which skips the credential process and automatically signs you in.

  2. Push notifications: Some services create their own authenticator apps and send push notifications to your phone whenever login attempts are detected. These notifications will give you a choice to approve or deny the attempt, and then it will send your response to the service server and act accordingly. To make sure you can determine if the login is authentic, they often contain some descriptive information such as the location or IP address of the login attempt.

  3. Biometric authentication: As voice recognition, face recognition, and fingerprint technology becomes the norm on the latest phone models, biometric authentication is growing in popularity. This method is notable for the seamless login experience it can accomplish. For instance, rather than waiting for a text code, opening the text, and then entering it into a service, biometric authentication would just scan your fingerprint immediately.

  4. Physical two-factor token: This is a less common method, but it’s one of the most secure ways to guard your accounts against unauthorized access. A two-factor token is a device that you can carry with you to generate codes or act as a USB “key” to unlock your accounts.

Examples of Two-Factor Authentication

Putting it all together, 2FA works by withholding account access until you correctly respond to two factors of identity verification. As an example, if you enable two-factor authentication and try to log into your Gmail account on a new computer, you must first successfully pass the knowledge factor (the password; something you know).

Then, you must pass a second factor. If you have the Gmail or Google app, you may receive a push notification prompting you to approve or deny the login attempt. If you’re using an authenticator app, like one of those we’ll discuss next, you’ll need to enter an authentication code from the app before it times out. If you’re using SMS or text-based authentication, you’ll need to enter the code texted to you from the service.

Only after you accomplish both of these factors will your identity be authorized, granting you access to your account. As you can see, even if a hacker gets access to your current login credentials, it won’t be enough to let them enter your account.

Why Use 2FA?

Traditional login experiences only require usernames and passwords. If a user can provide them, they’re assumed to be authorized. As you can imagine, this isn’t a fair assumption. Hackers frequently compromise login credentials, so how can a website separate authorized users from unauthorized users if both can pass the same authentication factor?

That’s where two-factor authentication comes in. 2FA was designed to stop unauthorized users from accessing your accounts — even if they already have your login information. This is key in the modern world because even if you randomize your passwords and are up-to-date on internet security best practices, you login information could still be leaked in a data breach. 

If that happens, enabling 2FA ensures that hackers still cannot access your account. In a nutshell, enabling 2FA makes hackers’ lives much harder. Rather than being able to target your accounts from across the world, a hacker would need to be close enough to grab your phone and access your authenticator to get into your account.

What are the Limits of 2FA?

Whatever limitations 2FA may have, it’s still one of the most robust and seamless account security precautions you can take. We highly recommend enabling it on all of your accounts, along with using strong randomized passwords. Keeping this in mind, here are a few scenarios where having 2FA enabled may be challenging:

  • Your 2FA device is uncharged or broken: If you use a phone or physical token for your 2FA authenticator, then it only takes one accidental dip in the pool, run through the laundry, or misplacement to lose access to all of your 2FA-secured accounts. Recovery is still possible, but it’s time-consuming, and if you’re in a hurry, this could be problematic.

  • 2FA emails aren’t secure: While using 2FA authenticators on your phone is a powerful way to secure your account, using email-based OTP 2FA isn’t quite as secure. With text-based OTPs, a hacker would need to physically steal your phone to access your account. However, with an email-based OTP, a hacker could compromise your email account to bypass 2FA. If other 2FA-enabled accounts also use this email account for authentication, then the hacker could access all of those as well.

  • 2FA used against you: While 2FA is a great way to lock hackers out of your accounts, hackers can also reconfigure it to lock you out of your accounts.

  • False sense of security: Just because you have 2FA enabled on your accounts, it doesn’t mean your accounts can’t be compromised. You still need to use strong passwords and follow internet security best practices.

Choosing An Authenticator & Enabling 2FA

Authentication software (or authenticators) are services that generate strong randomized codes on any of your devices. As 2FA continues to grow in popularity, more and more authentication apps are showing up on major app stores, and the authentication process is becoming more streamlined.

In this section, we’ll give an overview of popular 2FA app providers and built-in authentication options offered by major social networks and retailers, and we’ll discuss how you can turn on two-step verification for each one of them.

Google Authenticator (Google 2 Step Authentication)

Google Authenticator is one of the most popular authentication services available. It’s a free app that’s supported on pretty much every service and website that has a 2FA option. Once you download Google Authenticator, you can simply scan the 2FA QR code on any service you want to enable 2FA on. After that, an entry will appear within Google Authenticator’s interface. Every entry consists of a customizable label, a code, and a timer that represents how long you have before the code refreshes.

Turn on 2 Step Verification (Google): Setting up Google Authenticator is simple. Make sure you have downloaded the app and have a Google account already created. Then:

  1. Log into your Google Account, go to the Navigation Panel, and tap Security.
  2. Under “Signing in to Google,” tap 2-Step Verification.
  3. In the “Add more second steps to verify it’s you” section, under “Authenticator app,” tap Set up.
  4. Follow the on-screen steps.

Microsoft Authenticator (Microsoft 2 Step Authentication)

Microsoft Authenticator is another popular authentication service. Like Google Authenticator, it’s also free, but it can also be easily accessed on Android devices, iOS devices, and Windows 10 computers. Microsoft Authenticator has a familiar functionality to Google Authenticator and other popular services, but it also offers one-tap notification authentication and passwordless logins. This setting streamlines the authentication process by using push notifications.

Turn on 2 Step Verification (Microsoft): Before you set up Microsoft Authenticator, make sure you have the app and have a Microsoft account already created. Then:

  1. Log into your Microsoft account, go to Security info
  2. Click Add Method and select the Authenticator App. A QR code will appear.
  3. On your Microsoft Authenticator app, click Add account > Scan the QR code.

Facebook 2FA

Facebook 2FA

Facebook has a built-in 2FA security option. Once enabled, it gives you the ability to leverage a third-party authenticator or to use text message codes directly from Facebook. Unlike the full-fledged authenticators we’ve discussed so far, Facebook’s built-in text code option is simply a form of single-purpose authentication, meaning it can only be used for Facebook. 

How to Enable Facebook 2FA:

  1. On Facebook, go to your Security and Login Settings.
  2. Scroll down to Use two-factor authentication and click Edit.
  3. Choose your security method, and then follow the on-screen instructions.

Amazon 2FA

Amazon 2FA

Just like Facebook’s 2FA option, Amazon offers two forms of authentication: third-party authenticator support or its own single-purpose two-step verification options. You can choose the third-part option if you already use an authenticator like Google Authenticators. If you’d rather use text-based codes, you can use Amazon’s SMS option.

How to Enable Amazon 2FA:

  1. On Amazon, go to Advanced Settings.
  2. Click Get Started to setup 2FA.
  3. Choose your security method, and follow on-screen instructions.

FAQ About 2FA

How do I get rid of two-factor authentication?

There’s no central way to disable all 2FA. You need to access each of your accounts with 2FA enabled and disable them individually. It isn’t recommended to disable 2FA since this will put your account at risk of being easily compromised.

Can two-factor authentication be hacked?

No matter how many security precautions are put in place, anything can be compromised. Brute force attacks, social engineering, and black-market credential trading are all paths to hacking an account. However, enabling 2FA makes your account significantly harder to access. Even if a hacker has your credentials, without your authenticator device (such as your phone with Google Authenticator installed), they can never enter your account.

What is the difference between two-factor authentication and two-step verification?

Some major authenticators, such as Google, treat them as synonymous. Some developers, however, differentiate them from one another as follows: Two-step authentication is an additional layer of security that can be added to a two-factor authentication process. In a basic 2FA setup, you only need to enter your username to be prompted for a 2FA code. In two-step authentication, you need to 3enter both your username and password. This is just one more element of security that can be used to thwarts unauthorized account access.

In Conclusion

2FA is an extra level of protection and a viable solution for securing your account against hacks and data breaches. However, online threats don’t end here, and there are other cases of your personal information exposure that put you at risk.

Did you know that the average person is found on 46 people-search sites? These sites share your private data, including an email address and other contact info, your family details, income level, and more.  You can only imagine what a bad actor can do if they lay hands on these records.

If you want to protect yourself from such exposure, OneRep is here to help. Check out our plans and sign up for a free trial to start removing your personal information from people-search sites automatically.

Remove your sensitive info from the web

OneRep’s algorithm scans 196 data brokers and removes your records from all people-search sites that publish them

Maria Shishkova

Digital Marketer & Privacy Expert at OneRep | LinkedIn