Two-factor authentication is a vital way to protect your online accounts. It's available almost everywhere and offers drastically increased security compared to locking your account with a password alone.

Let's take a look at what two-factor authentication is, how it protects your accounts, and how you can start using it.

What Is Two-Factor Authentication?

Two-factor authentication (often abbreviated to 2FA) is a login method that requires you to present two pieces of verification to log into an account. This contrasts with single-factor authentication, where you only have to enter a password to gain access to your account.

Generally, there are three types of "factors" that can be used for authentication. They are:

  • Something you know: Any information that you know and nobody else (hopefully) does, like a password.
  • Something you have: A possession of yours, like a phone or security key.
  • Something you are: A body part that uniquely identifies you, like a fingerprint.

Some people use the terms two-factor authentication and two-step authentication interchangeably, but they aren't the same.

Two-factor authentication requires factors from different categories above—such as a password and a code from your phone. Two-step authentication uses two verification methods from the same category, like a password and a security question.

True two-factor authentication is stronger, because it doesn't require two pieces of data that have the same weaknesses.

Why Do I Need Two-Factor Authentication?

In today's online world, passwords alone are often insufficient for protecting your accounts. There are a couple of reasons for this.

Part of the problem is that most people are lazy with passwords. Making common password mistakes, like using the same password everywhere or using passwords with little complexity, makes your accounts easy to hack.

Short passwords that consist of dictionary words or common patterns are easy to crack with enough computing power. And if you use a password on many sites, an attacker figuring out one password could lead to them compromising multiple accounts of yours.

Password Security Weak

You can alleviate these issues by using a password manager to create strong, unique passwords for every site. But this isn't foolproof either.

Even if you have a super-strong password, you might turn it over to a malicious person by falling for a phishing attack or another form of social engineering. Your password could also be exposed through no fault of your own in a website security breach. In these cases, it doesn't matter how strong your password is once it's in someone else's hands.

Related: The Most Common Tricks Used to Hack Passwords

The Consequences of Someone Stealing Your Accounts

In any of these cases, someone would be able to use your compromised password to log into your account and do whatever they wanted. Depending on the account, this could result in someone stealing your bank account information, learning private information about your family, being able to pose as you on social media, or similar.

Because so many of our online accounts are linked, a thief having access to even one can cause a lot of problems. This is especially true for email accounts, as attackers can send password reset emails for other accounts to your email inbox.

How Does Two-Factor Authentication Work?

In practice, two-factor authentication adds one extra step to the sign-in process on websites and services. After entering your username and password correctly, you'll see a prompt to enter a code (or otherwise confirm your second authentication factor). If you don't enter this correctly, you can't log in.

Twitter Two Factor Login

To make the process a bit smoother, most services allow you to check a box labeled Don't require codes in this browser or similar. This bypasses 2FA for future visits, while still requiring it everywhere else. Doing so is convenient for devices that you use all the time, as long as you keep them physically secure.

When using two-factor authentication, there are a couple of important points you should know before you jump in.

Account Recovery When Using Two-Factor Authentication

You must have a plan for account recovery when using 2FA. On almost every site, it's easy to reset your password with a simple email link if you forget it. However, if you lose access to your 2FA method, you'll be in more trouble.

For security reasons, sites can't let you simply turn off 2FA if you lose access to your code generator (or whatever method you use). As a result, you can get locked out of your account if you can't sign in with any 2FA method.

To combat this, when you set up two-factor authentication on most sites, you'll be provided with a list of backup recovery codes. You can input these in place of regular 2FA codes to log in successfully. It's vital that you have access to these codes in case something unexpected happens. Keep them somewhere safe, like a password manager or a printed copy locked in a personal safe.

Google Two Factor Methods

If you lose these codes and have no other way to sign in, you'll have to turn to any advanced account recovery methods the service offers. This usually takes several days to complete, and may require more extensive steps to prove that you are the legitimate owner of the account.

Using App Passwords for Unsupported Services

While two-factor authentication is common on many services now, it's not backwards-compatible with some older devices. For example, if you have two-factor authentication on your Microsoft account and try to sign into an Xbox 360, it won't work properly.

To get around this limitation, services allow you to set up app passwords when you're using 2FA. App passwords are generated one-time passwords that you use in place of your usual account password. If you have trouble signing into a device using an account protected by 2FA, check your account settings for an app password option to resolve this.

Google App Passwords 2FA

Two-Factor Authentication Methods

Two-factor authentication comes in multiple forms. Some websites offer just one option, while others give you several choices. We'll summarize the most common ones here; see the pros and cons of various two-factor methods for more info.

SMS or Email Codes

With this method, you'll receive a text message or email containing a one-time code that you need to log in. While this is convenient and simple, it's also susceptible to interception. Plus, if you don't have cell service or a reliable internet connection, you can't receive these codes.

These authentication methods are better than nothing, but we recommend you use another method when available.

Authenticator Apps

Authentication apps are the best balance of security and convenience. These apps generate short codes that change on a regular basis. You simply need to copy the code from your authenticator app to log in with 2FA.

When you enable this method, websites will walk you through how to add them to your authenticator app. Typically, all you need to do is scan a QR code to start generating codes, then input one to make sure everything is working correctly. These codes work without an internet connection, which is another improvement over SMS codes.

Authy is one of the best 2FA authenticator apps. It's available on all platforms, offers encrypted backups, and is easy to use.

Physical Security Keys

For maximum security, you can turn a USB drive into a security key or use a tool like a YubiKey. This 2FA method requires you to insert a device into your computer (or scan it with your phone) and press a button to authenticate.

While these cost money, security keys are a strong option, since attackers can't steal a physical device as easily as they can a password or a security code sent via email. However, they're pretty inconvenient compared to generator apps, and can become a huge problem if you lose them.

Where Should I Use Two-Factor Authentication?

Now that you understand two-factor authentication, it's time to enable it on your accounts. For best results, you should use it everywhere that it's an option. Combined with a strong password generated by a password manager, it becomes very unlikely that someone will breach your accounts.

To get started, follow our guide to securing your most important accounts with two-factor authentication. After that, make sure you've set up two-factor authentication on your social accounts, too.

For more, have a look at Two Factor Auth. This is a handy resource that allows you to look up any service or website and see if it offers 2FA—and if so, which methods it supports. You can search or browse by category.

Two-Factor Authentication Will Keep You Secure

We've seen how two-factor authentication is a relatively painless way to keep your accounts protected with more than just a password. Take some time to set it up now, and you can rest knowing your accounts have multiple layers of protection.

Next, why not consider the best method to lock your phone's screen?

Image Credit: BestForBest/Shutterstock