Everything you need to know about two-factor authentication

There is a paradox when it comes to passwords. It’s easy enough to recall the same email address for the many, many site logins we collect these days. But we’re also supposed to come up with complex passwords to protect our accounts.

The catch, though, is complex passwords are hard to remember, and security experts warn against jotting them down. This is why way too many people still opt to use passwords that are easy to remember; but easy to remember also means easy to crack. Thankfully, there’s a way around low-bar passwords and account leaks that offers an extra layer of protection: two-factor authentication (2FA).

Two-factor authentication is a modern answer to the age-old terrible-password problem. While we still absolutely advise using a combination of 2FA and a complicated password, the latter is made easier by using a password manager, two-factor authentication creates a layer of security that’s infinitely trickier for low-effort hackers to bypass.

Adding two-factor authentication to any supported online accounts you have means logging in isn’t as simple as entering the correct username and password. Instead, once a correct username and password has been entered, a 2FA-protected account will then ask for a separate code to be inputted before you can get beyond the login screen.

Depending on the type of two-factor authentication, the code may be generated by a dedicated smartphone app or it may be a code that’s texted or emailed to your nominated mobile number or email address. Alternatively, it could involve approving a login request or selecting from a few code choices that correspond with a login request. Certain 2FA accounts use a physical token that randomly generates token codes, like what certain banks provide.

Even if you or someone else uses the correct username and password, there’s no to access the account without the correct 2FA code. On one hand, this makes lazy passwords and data leaks less of a pressing concern. On the other hand, it also means you need access to your phone, nominated email address, or 2FA token whenever you want to log in. To help with convenience, certain 2FA accounts will allow you to nominate trusted devices or browsers, which means you don’t have to reach for your phone whenever you log in.

It’s the account provider that determines how two-factor authentication works. For most services that support the security feature, two-factor authentication is disabled by default, which means you need to activate it. After activation, you must confirm it’s working by inputting the generated code to verify it’s properly linked to your account credentials.

At the time you activate two-factor authentication, you’ll usually also receive a ‘secret key’ that allows you to get into your account in the event that you lose access to the device that generates the 2FA codes. This is a very important key, and you should save it in a secure place: either a password-protected folder or within a password manager.

Where the 2FA code comes from is also determined by the account provider. For instance, Google Authenticator is a popular 2FA tool for storing multiple six-digit authentication codes, each of which update every 60 seconds. Eligible accounts are added to Google Authenticator by scanning a corresponding QR code or entering a setup key. Google Authenticator was recently updated to make the user click to reveal the time-limited PIN.

Other services from the likes of Microsoft and Battle.net have dedicated two-actor authentication apps, while others will email a time-sensitive code to your nominated email address. Others still will text a two-factor code to your nominated mobile number. Sent codes tend to arrive within seconds, like those from PayPal or MyGov, and they should be entered shortly after they’re received to ensure they don’t expire (which is another security feature).

In a word, yes. If you have an online account that supports some form of 2FA, we absolutely recommend activating it for an extra layer of security.

These days, it’s not just terrible passwords that are a problem; it feels like every other week there’s a company announcing a data breach. If you have an account with a company that has a data breach where user credentials are stolen, even the most robust password won’t stop someone from accessing that account. This is why it’s important to have up-to-date security, which includes regularly updated passwords and tools like two-factor authentication enabled.

The only real catch with two-factor authentication, outside of the added time required to input relevant codes, is you need to ensure you have access to whatever is receiving the code. In most instances, this means having access to your smartphone, so you can open authentication texts, apps, or emails. It’s also important to remember to migrate your relevant 2FA accounts when you upgrade or replace your phone, so you don’t lose access to two-factor authentication accounts.