Everything You Need to Know about Two-Factor Authentication

Creating passwords is an endless loop of usernames, symbols, numbers, and weird mnemonic devices. Even if you use a password manager to make things easier, there's no guarantee your master password isn't on a sticky note behind a family photo. Finding an unsecured password is easy when you know where to look.

Two-factor authentication (2FA) helps keep your accounts safe by adding another layer that requires extra effort and, more importantly, your permission. Let's dig into some of the basics of two-factor authentication and how you can use it to protect your personal information online.


Two-factor authentication basics


Build your smart home sanctuary with our weekly smart home tips!
Sign up to get the latest smart home tips and product reviews directly in your inbox. For free!

By signing up, you agree to our Terms and Conditions and Privacy Policy.

What is two-factor authentication?

At the foundational level, two-factor authentication is a way to confirm your identity using two identifiers, or factors, instead of one.

Booking a hotel room is an excellent example of multi-factor authentication at work. Your credit card might look similar to some room keys, but there's no way it's opening a hotel room on its own. Instead, you must check in at the front desk with a photo ID. Only then does the hotel give you a key and a room number.

In this example, you need four factors to access a hotel room:

  1. Credit card
  2. Photo ID
  3. Room number
  4. Room key

But we're betting you're here to learn how two-factor authentication applies to online accounts. The core principle's the same, except you're using a password as the first factor, which triggers a prompt for the second factor—usually a one-time code that expires after a short time. The account isn't accessible unless you provide both factors.

Bell
Home security systems as two-factor authentication

A home security system is another example of 2FA in real life—you unlock your front door with a physical key but need to disarm the system with a PIN code to avoid an alarm.

How does two-factor authentication work?

While the type of multi-factor authentication ultimately depends on the company hosting your account, some methods are more common than others. Here's a quick rundown of the types of authentication you'll likely encounter.

Types of two-factor authentication

Email and text message

Text messages (SMS) are one of the most ubiquitous 2FA methods, so there's a good chance you already use this for two-factor authentication with some accounts.1 An SMS message is a flexible option for most phones, while email codes work well for computers and smartphones.

pro
Email and SMS pros
pro Easy to use
pro Useful for computers and mobile devices
con
Email and SMS cons
con Doesn't work without internet or mobile access
con Unencrypted messages vulnerable in transit

How it works

  • Your online account asks you to select a trusted email address or trusted phone number after you enter your username and password.
  • It sends a one-time verification code—usually six digits, like 396823—to your chosen contact method.
  • You copy or type this authentication code to the field on the login page.
  • If you don't use the code within a time limit, you'll need to request a new one.

Authentication app

Authenticator apps use the same numerical codes as emails and texts but require pairing the app with your online account using a QR code or other access token. The main downside is that many authenticator apps use a mobile phone—you won't find as many apps for computers.1

pro
Authenticator app pros
pro Secure encrypted server
pro Push notification authentication on some apps
con
Authenticator app cons
con Often requires a mobile device

How it works

  • After logging into your account, you copy a code from the authentication app—it's pretty easy to copy a code by tapping on it.
    • Authenticator apps cycle codes on a set interval—usually 30 seconds—so you need to enter it before the following code appears.

Some authenticator apps skip the numeric codes in favor of a push notification where you tap a specific number (Microsoft Authenticator) or answer a yes or no question (Duo Push, Okta Verify, and Google prompts). We love the convenience of push notifications for authentication, so we highly recommend using them if available.

Bell
Proprietary authenticator apps

While many online accounts support various third-party authenticator apps, some require you to use their app—Blizzard's Battle.net Authenticator is a notable example.

Pre-generated code list

Pre-generated codes are basically a list of codes you receive when creating an account. They're primarily useful if you can't access another 2FA method and for some offline accounts. They don't expire, so someone with the sheet could brute-force—or try every possible code combination—to access an account.1

pro
Pre-generated code list pros
pro Written codes don't require internet
pro Backup to other 2FA methods
con
Pre-generated code list cons
con No expiration date
con Easy to misplace codes

How it works

  • LastPass generates a printed grid and provides four coordinates when logging in: e.g., T7 F2 J5 G0.
  • You look up each spot on the grid—Battleship style—and enter your code: e.g., FUHZ.
Light Bulb
Backup code

Some account providers, like Google and Discord, can generate a list of backup codes in case you lose access to an authentication factor.

Security key

Security key
YubiKey 5C NFC

Amazon.com price as of post date. Read full disclaimer.

A security key with Universal 2nd Factor (U2F) authentication is probably the coolest method because it uses a physical factor like your phone's fingerprint sensor, a Bluetooth device, an NFC device, or a USB stick. It's basically a key that you use alongside your password.

There's no code to look up, and it's faster than practically every other authentication method—the push notifications from authenticator apps put up some competition.1  Buying a security key has two drawbacks: extra cost and a device that you can lose.

pro
Security key pros
pro Super secure
pro Physical device fits on your keychain
con
Security key cons
con One-time purchase
con Lost key makes logging in nearly impossible

How it works

  • Computers: plug the security key into your computer and tap the button at login.
  • Smartphones: tap the key to your phone upon login.
    • You don't need a security key when using your phone's biometric authentication like facial recognition or a fingerprint sensor.
Light Bulb
Trusted devices

Most account providers give you the option to add a trusted device, so you don't need to use two-factor authentication after the first login. This is usually an option like "Remember me" or "Don't ask again for 30 days."

FAQ

As long as your account supports two-step authentication, you can usually find the option in the settings menu under security or privacy. From there, follow the security prompts and scan QR codes as necessary to set it up. The account provider then tells you how you'll receive the 2FA verification and may provide security keys for backup.

Two-factor authentication is always a good idea because it's easy to set up and is an immediate boost to your online security. We recommend enabling two-factor authentication on every account that supports it.

Two-factor authentication can be a big inconvenience if you don't have consistent access to the phone number, specific apps, or registered email address needed to receive the confirmation codes. It can also slow you down until you adapt to the extra step to the login process. 

Contributing writer: Nathan Lawrence, SafeWise Australia

Related articles on SafeWise


Sources

  1. Ken Reese, Brigham Young University, Proceedings of the Fifteenth Symposium on Usable Privacy and Security, "A Usability Study of Five Two-Factor Authentication Methods," August 2019. Accessed September 13, 2022.
Disclaimers

Product prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on Amazon at the time of purchase will apply to the purchase of this product. Safewise.com utilizes paid Amazon links.

Certain content that appears on this site comes from Amazon. This content is provided "as is" and is subject to change or removal at any time.

†Google and other related marks are trademarks of Google LLC.

John Carlsen
Written by
John Carlsen
John is a technology journalist specializing in smart home devices, security cameras, and home security systems. He has over nine years of experience researching, testing, and reviewing the latest tech—he was the Smart Home Editor for Top Ten Reviews and wrote for ASecureLife before joining SafeWise as a Staff Writer in 2020. John holds a Bachelor's degree in Communications, Journalism emphasis from Utah Valley University. In his spare time, he enjoys hiking, photography, cooking, and starting countless DIY projects he has yet to complete.

Recent Articles

safewise's best home security systems
10 Best Home Security Systems of 2022
After hundreds of hours of tests and research, plus a combined 50+ years of experience,...
Senior woman hugging dog
8 Best Medical Alert Systems of 2022
See which medical alert system is the best to keep you and your loved one...
couple sitting on floor with moving boxes and a dog
2022 Best Home Security Systems for Renters
These renter-friendly home security systems keep your house or apartment safe and require less commitment...
Neighbourhood homes in the United Kingdom
The Best Home Alarm Systems in the UK
Find the right alarm system to protect your UK home. SafeWise recommends security systems for...