What is two-factor authentication, or 2FA, and how does it work?

Two-factor authentication, also known as 2FA, is an additional piece of information that is used to log into a service. Normally people just input a username and password. But if the password is easy to guess, or has been stolen, the entire account could be compromised.

Two-factor authentication is increasingly popular as it helps add an additional layer of security to your accounts. It tries to ensure that only you can log into your account. You have probably been using two-factor authentication without realizing it. For example, if you want to reset your password on a particular site, you’re sometimes asked for your mother’s maiden name, or the name of your first pet. The idea behind this is that someone might know your password, but they won’t know your own personal information.

So when you enter only your username and password that is single-factor authentication. Two-factor authentication meanwhile requires a user to input two out of three of the following credentials before being able to access an account. These are:

  • Something you know – This could be a PIN code, password or a pattern
  • Something you have – such as an ATM card, smartphone, or fob
  • Something you are – such as a fingerprint, iris scan or voice recognition print

If you take online banking as an example, people often have a security token that they insert their card into and enter their PIN. This then generates a code that is entered alongside their username and password to prove that the person trying to log in has their bank card present.

Many social media services also have this process. You can update your settings so that every time you try to login, you are sent a code. This could either be to your email, or your phone. You then enter this code to complete the login process.

It is generally accepted that using two-factor authentication is a good idea if it is offered. It might delay the speed of your login, but that’s a small price to pay when the alternative is someone stealing your personal information, or logging into your account and pretending to be you.