It’s nearly impossible to truly secure an online or mobile account with just a password. Data breaches, malware, device theft, and myriad other methods can be used to compromise digital passwords, no matter how secure they are.

Anyone with sensitive information protected by a password needs to have a second method of securing their account, hence two-factor authentication. There are various ways to protect accounts via two-factor authentication: biometrics, one-time passwords, verification codes, QR codes, hardware tokens, and other methods all add another layer of security.

Regardless of the method, one thing is for sure: Two-factor authentication is necessary no matter how inconvenient users think it is.

TechRepublic’s two-factor authentication cheat sheet is an introduction to this essential element of cybersecurity. This guide will be updated periodically when there is new information to share about two-factor authentication. (Note: This article about two-factor authentication is available as a free PDF download.)

SEE: How to set up two-factor authentication for your favorite platforms and services (free PDF) (TechRepublic)

Executive summary

  • What is two-factor authentication? This authentication method supplements passwords to provide an online account with a second layer of security; it does not replace passwords. Two-factor authentication is available for Apple ID, Google, Facebook, Twitter accounts, and other services.
  • How does two-factor authentication work? There are a variety of two-factor authentication methods available, all of which have the same end goal: providing a way of proving a login is legitimate that’s completely separate from the password.
  • Why does two-factor authentication matter? Most everything we do on a computer or mobile device is exposed to the internet, and that means those online accounts can be compromised. Adding two-factor authentication to an account makes it harder for a stolen password to be used against you.
  • How safe is two-factor authentication? Nothing is completely secure, and that includes two-factor authentication. Two-factor systems have been hacked in the past, but the biggest risk isn’t technological–it’s social engineering, which can bypass even the most secure of systems.
  • How do I start using two-factor authentication? Businesses can standardize two-factor authentication by subscribing to a service that provides it. Home users can enable two-factor authentication on their accounts by checking to see if a particular website offers the service.

SEE: Security awareness and training policy (TechRepublic Premium)

What is two-factor authentication?

Two-factor authentication is a supplement to a digital password that, when used properly, makes it harder for a cybercriminal to access a compromised account. Two-factor authentication is also referred to as 2FA, two-step verification, login verification, and two-step authentication.

Two-factor authentication is not to be confused with multi-factor authentication (MFA), of which 2FA is a subset. MFA refers to any kind of system that relies on more than one method of identification to verify you’re the appropriate person to be using the account. If, for example, you use a password, one-time code, and then a fingerprint to log into a system, you’re using MFA but not 2FA because you’re using three distinct items.

Additional resources

How does two-factor authentication work?

Two-factor authentication requires, along with a password, a second form of identity verification. After successfully logging in to an account with a password, the user is prompted to either confirm their identity using a one-button push with a verification app or input a random security code from a text, email, push notification, or physical key.

The second factor is, ideally, harder to spoof than a password; it requires something the legitimate user has physical access to, like a smartphone with a particular authenticator app installed, a linked phone number for a push notification or SMS authentication code, or a hardware security key, which leaves a hacker stuck even if they have the correct password to the account. Two-factor authentication is available for Apple ID, Google, Facebook, and Twitter accounts, bank websites, and other services–it’s often as simple as enabling the option.

If your business is looking for a two-factor authentication provider, there are a lot of options. Once you select a 2FA provider, users can expect to use biometrics (like Touch ID and Face ID), authenticator apps, SMS authentication, email authentication, or a physical security key to authenticate an account with an authentication code.

Each method has its pros and cons, and two-factor authentication shouldn’t be relied on to be the end-all, be-all of account security. Each of those methods can be cracked by someone with enough knowledge or drive.

SEE: All of TechRepublic’s cheat sheets and smart person’s guides

SMS and email authentication, easily the most ubiquitous, are also the most easily cracked. Text messages aren’t secure and can be intercepted, and email accounts can be hacked. Biometrics can be fooled, and the methods of authenticating them can be hacked as well. Apps can be a problem when migrating to a new mobile device, and physical security keys can be lost.

In most cases where an account is protected by a second security factor, users will be given backup codes that can be used to disable two-factor authentication when a key is lost or an app is uninstalled. If you sign up for 2FA and are given backup codes, it’s best to print them off and stick them in a secure location–you never know when you may need to recover an account that becomes locked out.

Regardless, two-factor authentication is very low effort for a lot of added security. Sure, it isn’t 100% foolproof, but nothing is.

Also, it can be annoying to have to wait for Google, or any other service provider, to text you a verification code as text or QR code, but it’s essential to protecting your account. That code is an example of two-factor authentication in action: Your password is the first factor, and the code sent to your phone is the second. Now, if your Gmail password is stolen and a hacker tries to log into your account, two-factor authentication would block that person because the code is sent right to your device, notifying you that someone just tried to log in and they have your password. Fortunately, that extra layer of security can stop them.

Additional resources

Why does two-factor authentication matter?

Two-factor authentication matters to everyone–in particular, security professionals and anyone who uses digital passwords.

If it’s in an account on the internet, it’s safe to assume that it’s fair game for hackers to try gaining access to it. A password is usually only a stumbling block to getting ahold of your business or personal information.

It seems like we hardly go a week without news of a massive data breach affecting millions of people. The information that’s stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to accounts. If those users have two-factor authentication active on their accounts, they won’t need to worry nearly as much.

To the individual user, two-factor authentication matters because it protects personal information like email, financial records, social media, and other sensitive information. Businesses need two-factor authentication to protect company secrets from being spilled out into the ether too, and they should be sure users, both internal and external, are using it.

With the increase in remote work due to the COVID-19 pandemic, two-factor authentication is more essential than ever. Remote work is here to stay for the foreseeable future, and that means a lot of professionals are on networks that exist outside of offices and can’t be kept secure.

Two-factor authentication is an essential protection for remote workers who have access to sensitive data and access it from home or public networks. Despite that, reports indicate less than half of organizations are using some form of multi-factor authentication organization-wide.

Additional resources

How secure is two-factor authentication?

Anyone who has spent time online knows it’s a bad idea to put all their security eggs in a single basket, and two-factor authentication is no exception.

As CNET reported several years ago, RSA’s physical security tokens were hacked, so even systems you think are secure (like random number generators) can be exploited.

The biggest security hole in two-factor authentication, and the one most often exploited, is social engineering.

Social engineering is essentially people hacking: Instead of trying to break encryption, brute-force passwords, or crack RSA tokens a social engineer goes for the path of least resistance by phishing, pretexting, phone spoofing, or otherwise lying to extract information from people who don’t realize they’re giving up sensitive data to a person who shouldn’t have it.

So an enterprising hacker doesn’t need to try to crack two-factor authentication security when they can simply call a support line, pose as you, and get your password reset: Why make things more difficult?

SEE: Cybersecurity in an IoT and mobile world (ZDNet/TechRepublic special report) | Download the PDF version (TechRepublic)

Software developer Grant Blakeman had that exact thing happen to him in 2014. An attacker who wanted access to his Instagram account managed to get his cell phone provider to forward his number to a different number. From there the attacker received a Google account two-factor authentication code, “which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.”

Blakeman had done everything right: He used a password manager to generate long, unique passwords for each account, used two-factor authentication on Google, and was generally fastidious in his online hygiene. But that didn’t matter when a smart enough attacker wanted access.

So is two-factor authentication safe? In and of itself, yes. It’s rare that two-factor authentication methods are cracked. The most exploitable weakness, yet again, is humans.

Additional resources

How do I start using two-factor authentication?

Using two-factor authentication on consumer services like Apple ID, Google, Facebook, Twitter, bank websites, and others is often as simple as turning the service on.

There are far too many sites using two-factor authentication to list them all here, so if you want to find out if a particular one uses it head over to Turn It On: The Ultimate Guide to Two-Factor Authentication (2FA). The free service, provided by TeleSign, contains a searchable list of sites that use two-factor authentication and instructions for how to activate it.

Businesses can choose from a variety of two-factor authentication providers, including OneLogin, Yubico, or Okta, which offer 2FA as a service that can be plugged into existing computer systems. There are a lot of providers to choose from, and finding the right one for your business will likely take some research.

Some enterprise 2FA services, such as Okta, act as a single sign-on (SSO) that will automatically log a verified user into other accounts, so only one password has to be remembered, making business accounts that much more secure.

Once a device is enrolled in a 2FA SSO service and a user logs in, their computer or smartphone becomes a trusted device, adding another layer of security: If someone tries to log in from somewhere else, they’ll have a hard time doing it without being able to provide an authentication code in addition to a username and password.

The bottom line in two-factor authentication is that it’s essential. Yes, the right combination of technical know-how and confidence scamming can crack even the most secure systems, but for the average user in the average situation, two-factor authentication can make all the difference.

Additional resources

Editor’s note: This article was updated on June 11, 2020 to include information about remote work and social engineering.


Image: Getty Images/iStockphoto, Suebsiri

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays