Two-factor authentication

Last reviewed January 2021

For decades, passwords have been our main means of authentication — the way we prove our identity to access a private resource, like email or a bank account. So long as your password is known only to you, your information and money remain very safe.

But the secrecy of a password can be compromised in several ways:

It might be leaked in a data breach.
You might be tricked into disclosing it by a phishing email.
Someone might guess it, or write software to automatically make thousands of guesses until one is correct.

As we depend increasingly on online transactions, and store more of our data in the cloud, the idea that a humble password stands between our private accounts and the rest of the world is becoming less acceptable.

A familiar concept

Think about chip and PIN. It makes your bank account more secure because you need two different things to use your debit card:

Something you have (the card).
Something you know (the PIN).

Previously, just having the card was enough. Anyone who obtained it could go shopping — assuming they could roughly imitate your signature (and doesn’t the idea of comparing signatures seem primitive now).

Online accounts

Chip and PIN is the most familiar form of two-factor authentication (2FA), but a similar approach is now common for online accounts.

Note: Some services call it two-step verification, and you might also see the more generic term multi-factor authentication. They’re the same thing.

If you have an account with Amazon, AOL, Apple, Facebook, Google, Microsoft or Yahoo, you should enable two-factor authentication because it greatly increases security. Many other companies offer it too.

Note: A study by Microsoft found that multi-factor authentication prevented over 99.9% of attacks on accounts from succeeding. It’s not often an invention proves so effective!

Logging in

Let’s use Gmail as an example. You already have a password; it’s the ‘thing you know’. With two-factor authentication, your mobile phone becomes the ‘thing you have’.

You go to check your email on your computer, and enter your password in the usual way. Google then texts or calls you with a one-time passcode that’s valid for a short time and can be used only once. Knowing this code proves your possession of the phone — a pretty good way to verify that you’re who you claim to be. You type the code into the computer, and Gmail opens.

It would be annoying to do this every time, so Google remembers your particular computer and only makes you repeat this process occasionally.

Thwarting hackers

Now imagine a hacker guesses your password, obtains it from a data breach, or tricks you into disclosing it via phishing. Their goal is to access your Gmail from their computer.

They get your password correct. But because their computer is unfamiliar, Gmail asks for a one-time passcode — which arrives, of course, on your phone. The hacker is thwarted because they don’t know the code.

Two-factor authentication is just a few small steps for you, and one giant leap for the security of your accounts! Once you’ve set it up, it will go a long way towards keeping hackers out, without inconveniencing you from day to day.

What if you lose your phone or have poor signal?

First, it’s a good idea to have more than one phone registered. These may include your mobile, landline, or a partner or friend’s phone.

Second, you might be able to install an authenticator app on your phone or tablet which can generate codes even when offline.

Finally, some companies offer extra options of their own. For example:

In the case of Apple, your Mac can receive codes.
With Google you can print 10 emergency codes to hide in a drawer or take travelling.