Still relying on just a password to secure your accounts and devices? Unfortunately, this just isn’t good enough anymore. For reliable protection, many security experts recommend utilizing multiple layers of security. This is where two-factor authentication, or 2FA, comes in. So what is two-factor authentication, and how does it work to protect you? Let’s dive in.
How does two-factor authentication work?
Two-factor authentication is a solid way to protect your devices and data, and is simple to set up. So how does 2FA work?
The idea behind 2FA is to use a two-step login process for much stronger security. So, instead of simply relying on a password (which is effectively one authentication method), 2FA requires the user to verify their identity using a combination of two of three things:
- A PIN, password, or answer to a security question (something you know)
- A 2FA app or pre-generated codes (something you have)
- A biometric like a fingerprint or face recognition (something you are)
Typically, you’ll find 2FA in the form of a smartphone app. Two-factor authentication apps work by sending you a push notification or a one-time passcode, prompting you to verify that you are intentionally trying to log in. So, you’d input your password as usual, and then be required to complete the second step in your login process to access your account.
What are the different types of two-factor authentication?
While authenticator apps are a popular choice, two-factor authentication comes in several forms, each with its own level of security and convenience. Understanding the different types can help you choose the best method for your needs.
- SMS-based two-factor authentication: This is one of the most common methods, where a one-time code is sent to your phone via text message. While convenient and better than no two-factor authentication at all, it’s considered the least secure option due to vulnerabilities like “SIM swapping,” where an attacker could potentially gain control of your phone number.
- Authenticator apps: As mentioned, these apps (like Google Authenticator or Authy) generate a temporary, time-based one-time passcode (TOTP) that refreshes every 30-60 seconds. This method is significantly more secure than SMS because the code is generated on your device and is not transmitted over the less secure mobile network.
- Hardware security keys: For maximum security, you can use a physical hardware key. This is a small device, often resembling a USB drive (like a YubiKey), that you plug into your computer or tap against your phone (using NFC) to approve a login. This is highly resistant to phishing and is considered the gold standard for 2FA.
- Push notifications: Some services use push notifications sent directly to a trusted device. Instead of a code, you simply receive a notification asking you to approve or deny the login attempt with a single tap. This is both user-friendly and secure.
Why use two-factor authentication?
One of the first steps to a strong online defense is recognizing that multi-layered security isn’t just recommended – it’s necessary. When it comes to login details, using 2FA is important because passwords are at such a high risk of being stolen.
Any remote hacker, or one sharing the same public Wi-Fi network as you, can easily find a way to steal or view your passwords. Hackers commonly intercept passwords in data breaches and sell them on the dark web. But even if your password falls into the wrong hands, 2FA will protect your account from unauthorized access.
Choosing the right 2FA method for you
Not all 2FA is created equal. While any 2FA is better than none, understanding the different types will help you choose the best balance of security and convenience for your needs.
- Authenticator Apps (Most Common): These are apps (like those listed below) that generate TOTP codes. They are a massive security upgrade over passwords alone and are the most popular method for securing online accounts.
- Push Notifications: Some apps, like Duo Mobile and Microsoft Authenticator, offer a more convenient option. Instead of you typing a code, the service sends a notification to your phone, and you simply tap “Approve” to log in. This is fast and user-friendly.
- Hardware Security Keys (Most Secure): For maximum protection, nothing beats a physical security key. These small USB or NFC devices use advanced cryptography that makes them virtually immune to phishing. ou plug the key into your device or tap it on your phone to authenticate. This is the gold standard for protecting high-value accounts.
- SMS and Email Codes (Least Secure): While popular due to their simplicity, receiving codes via text message or email is the least secure form of 2FA. Hackers can intercept text messages through “SIM swapping” attacks or gain access to your email account to steal your codes. You should upgrade to an authenticator app or hardware key whenever possible.
Potential risks and best practices
While 2FA dramatically increases your account security, it’s not a silver bullet. It’s important to be aware of potential risks and follow best practices to stay protected.
- The risk of phishing: Sophisticated phishing attacks can trick you into giving away your 2FA code. An attacker might create a fake login page that looks identical to the real one. When you enter your password and the 2FA code, they capture both. Always double-check the website URL before entering your credentials.
- Losing your second factor: What happens if you lose the phone that has your authenticator app or your physical security key? This can lock you out of your own accounts.
- Best practice- save your backup codes: When you set up 2FA, most services provide a set of one-time-use backup codes. It is crucial to save these codes in a safe and separate place, such as in a secure password manager or a physical safe. These codes will allow you to regain access to your account if you lose your primary 2FA device.
- Best practice- use stronger 2FA methods: Whenever possible, opt for an authenticator app or a hardware key over SMS-based 2FA to protect yourself from SIM-swapping attacks.
The best two-factor authentication apps
Many services and applications offer their own type of 2FA, but you can also use a third-party app to add 2FA to any of your accounts. Here are some two-factor authentication apps we recommend:
1. Authy by Twilio
Available for: iOS, Android, Apple Watch
A long-time favorite, Authy’s standout feature is its encrypted cloud backup and multi-device sync. This makes migrating to a new phone or accessing codes on a tablet incredibly easy. Note that its desktop apps were discontinued in 2024, but the mobile apps remain fully supported and excellent
2. Duo Mobile
Available for: iOS, Android
Owned by Cisco, Duo is renowned for its simplicity, primarily through its “Duo Push” system. The one-tap approval makes it one of the most frictionless ways to use 2FA, and it’s trusted by countless corporations and universities.
3. Microsoft Authenticator
Available for: iOS, Android
Developed by Microsoft, this app provides robust security for all services using standard 2FA codes, not just Microsoft accounts. It features seamless cloud backup and enables convenient passwordless sign-in for your Microsoft ecosystem.
4. 2FAS
Available for: iOS, Android
Formerly known as the Authenticator App by 2Stable, 2FAS has grown into a powerful and popular choice. It’s user-friendly, offers encrypted backup, biometric protection, and even has browser extensions for easy code entry on a desktop
5. Google Authenticator
Available for: iOS, Android
Google Authenticator is simple and reliable. Its most important feature is the ability to sync your codes to your Google Account, which solves its long-standing lack of a backup option. While you don’t need an internet connection to generate codes, you do need one for the initial setup and to sync.
What are other layers of security I can add?
Why stop at 2FA? Here are some more security layers you can – and should – add to your apps and services.
Antivirus
Antivirus is a protective tool that can save you from a security nightmare. VIPRE is an award-winning antivirus service that protects you from external threats. And with real-time scans, malware removal, and so much more, VIPRE virtually does all the work for you. Sign up for an annual plan to access antivirus for free, brought to you by the same brains and builders behind IPVanish.
Encrypted email
Considering that over 90% of all malware is delivered via email, it may be time to switch to an encrypted email service if you haven’t already. An encrypted email service will safely protect the transmission and contents of your emails from outside parties. Check out these private email providers.
VPN
One of the best ways to secure all of your online activity is with a VPN, which is short for virtual private network. A VPN works by masking your identifying IP address, and encrypting your connection. This prevents any outside eyes from viewing or stealing your traffic data, allowing you to have a much more private internet session.
