A password that's tough to crack provides protection against unauthorized intrusion into your digital accounts, but even a strong password is not completely impenetrable. Many companies increase security by offering users the option to log in using two-factor authentication.
What is two-factor authentication?
Two-factor authentication (also known as 2-step verification) is a log-in process that requires users to prove that they are who they claim to be not once but twice. The required proofs usually combine two of the following:
- Something known only to the user such as a password or PIN
- Something that the user has to have in hand, such as an ATM card, smartphone or passcode generator key
- Scans of some physical or biometric property of the user such as retinal scans, voice identification or fingerprints
If you cannot supply both the required proofs of your identity, the system will not authenticate you and you will not receive access.
Because it uses not one but two security measures, two-factor authentication arguably provides tighter — though not absolute — security than password- or PIN-based systems. No matter how complex a password is, someone out there is smart enough to guess or steal it, often by electronic means or by social engineering techniques such as phishing.
But when two-factor authentication is in place, even intruders who know your password are barred from accessing your account if they cannot supply the other required proof. Think of it as a second lock on your door.
Where two-factor authentication is used
We’ve all seen movies where scientists develop some top-secret gadget in a heavily secured lab. Access to the lab is severely restricted with multi-factor verification mechanisms. A whitelisted scientist can enter the lab by undergoing a retinal scan, then by speaking to authenticate the voice print, then by typing a long passcode at a terminal with fingerprint-scanning buttons. Quite exaggerated, but that’s multi-factor authentication at its finest.
In the real world, some companies use two-factor authentication to restrict employee access to certain buildings or areas. Identification cards with embedded chips or magnetic strips allow employee to swipe or tap at security terminals and then key in a company-issued passcode. If both are correct and the worker has access privileges, the door will unlock.
Many online services use two-factor authentication. Most recently, Instagram is in the process of rolling out optional two-factor authentication to give its more than 400 million users an additional blanket of safety against unauthorized access to their accounts.
Google has been using two-step verification since 2011. When it's enabled for your account, a special code is sent to your phone whenever you log in to your account on a new device. Google also sends you an email notifying about the access on the new device.
Twitter activated two-step authentication in 2013, while Facebook’s version, known as Login Approvals, has been around since 2011. In late 2015, Amazon also rolled out its implementation of the method.
Other high-profile online services that have implemented some form of two-factor authentication include Apple, Microsoft, Steam, Yahoo, Xbox Live and Dropbox.
Online banking services also use two-factor authentication. One international bank, for example, combines password and token generation. Clients are given token generator devices for free. To log in, you enter your username, password and a random, unique token generated by the key. Another bank uses both passwords and a one-time passcode sent to the user’s phone via SMS.
To see a list of services that use two-factor authentication, visit Two Factor Auth.
Should you enable two-factor authentication?
Generally, you should enable two-factor authentication wherever it is available, especially for important and sensitive accounts such as online banking.
Consider the potential consequences of enabling two-factor authentication. For example, Amazon lets you receive the second passcode either via SMS text or voice call. You wouldn't be able to receive either of these when you're on an airplane, so if you plan to shop in the air, you'd have to switch to the authenticator app method before boarding the plane. We like Google Authticator (free for iOS and Android), which generates codes for any two-factor site. You might also find yourself unable to use mobile phone authentication anywhere cellular coverage is spotty or nonexistent.
Familiarize yourself with the system's safety nets for occasions when the second factor is unavailable to you. For instance, if you lose your phone, does your service provider allow an alternate way for you to log in without your phone or provide a second phone number? One bank offers alternate access by supplying randomly requested characters of a second password defined previously by the user.
Some services let you turn off two-factor authentication for a device once it's been authenticated. We don't recommend doing this.
Two-factor authentication can be a bit of an inconvenience, but that extra step will make you a less desirable target for those looking to steal your banking information, upload scandalous photos to your social network or read your confidential messages. The minor inconvenience is a small price to pay to keep your accounts secure.