Your bank, email provider, and maybe even your favorite gaming platform have prompted you to set up two-factor authentication. If you're a little unclear on what it is or why you'd want to start using it, read on to learn how two-factor authentication can keep everything from your bank account to your game collection more secure.

What Is Two-Factor Authentication?

To understand what two-factor authentication (2FA) is, let's first look at what one-factor authentication is and compare it to both real-world and virtual security models.

When you come home from work, pull out your keys, and unlock your door, you're using simple one-factor authentication. The door and the lock assembly don't care if the person holding the key is you, your neighbor, or a criminal that lifted your keys.

The only thing the lock cares about is that the key fits---you don't need two keys, a key and fingerprint, or any other combination of checks. The single physical key is the only authorization, and its wielder, whether legitimate or not, gets full access.

The same level of one-factor authentication occurs when you log in to a website or service that requires only your username and password. You, your spouse, or anyone else can type the username and password in to access your account just like anyone could pick up your house key and open your door.

You're in good shape if nobody ever steals your keys or password. While your keys being stolen is a fairly low risk, virtual security is more complex. Security breaches, sophisticated attacks, and other unfortunate but all too real aspects of working and playing in a virtual space necessitate improved security practices, including multiple and diverse complex passwords and, when available, two-factor authentication.

What is two-factor authentication, and what does it look like for you, the end user? Two-factor authentication is a subset of multi-factor authentication (MFA). All two-factor authentication is multi-factor authentication, but not all multi-factor authentication is two-factor (as an MFA system could require 3, 4, or more additional authentication factors). Colloquially, people still use the term 2FA to refer to multi-factor systems in general, and as it remains the most common implementation of multi-factor authentication, we'll use the term throughout this article.

At minimum two-factor authentication requires two out of three authentication variables such as:

• Something you know (like the PIN on your bank card or email password).
• Something you have (the physical bank card or an authenticator token).
• Something you are (biometrics like your fingerprint or iris pattern).

If you've ever used a debit card, you've used a simple form of two-factor authentication: it's not enough to know the PIN or to physically have the card. You need to possess both to access your bank account at an ATM.

Two-factor authentication can take on various forms and still meet the 2-of-3 requirement. There can be a physical token, such RSA SecurID fobs, that continually generates random secure codes for you. Other companies skip the custom-hardware route and supply mobile phone apps (or SMS-delivered codes) which provide the same functionality.

While uncommon compared to software solutions, you could also use biometrics-based two-factor authentication (such as securing an encrypted file via password and fingerprint).

Additionally, some companies have moved towards an MFA model that includes the authentication variables you would expect from a 2FA system---such as needing a password plus a one-time-use code from an authenticator app---with the addition of another variable, such as your physical location or network identifiers.

Why and Where Should I Use Two-Factor Authentication?

We're strongly of the mindset that people should use two-factor authentication on nearly everything they use that offers two-factor authentication. It's an easy and nearly frictionless way to increase security and decrease the risk of identity theft, financial losses, and the overall general hassles that come with security breaches.

Making a conscious effort to use random and strong passwords with a password manager alongside two-factor authentication is such a significant security improvement that it's worth the minor inconvenience of plugging in a code or otherwise double authenticating your identity now and then. Need some extra convincing? A 2019 Microsoft analysis of account breaches found that 99.9% occurred on accounts without 2FA enabled.

Do you need it for every single thing? Not necessarily. Two-factor authentication for a muscle car discussion forum you casually use that contains no personal information and isn't linked to your real email or financial information is overkill.

A second layer of authentication for your credit card or primary email account, however, is an excellent security boost. The personal and financial trauma that would result from an identity thief or other malicious entity having access to those things far outweighs the minor hassle of inputting an extra bit of information.

If your email is compromised, it opens you up to other services being compromised as email serves as a sort of master key for access to password resets and other inquiries. (This is why we recommend people stop using their primary email to sign into everything.)

If your bank offers two-factor authentication, take advantage of it. Don't forget any other financial tools you use like PayPal. If a service can be used to send or receive money or access your financial records, you should use 2FA. Same thing for any service that hosts personal stuff like file backups, photo backups, and so on.

Even for things like video game platforms, it's worth it. Not only do players spend hundreds of hours building their characters and often spend real money purchasing in-game goods, losing all that labor and gear is an awful proposition.

While not every service offers two-factor authentication, the number of companies offering some type of two-factor authentication has risen dramatically over the years. When we first started writing about 2FA, the list of organizations and providers that offered it was short enough that we could rattle them off in a paragraph.

Now 2FA is relatively commonplace, and if you poke around in the support documents or even just your profile and settings page on a given service, you're likely to find some sort of option for two-factor authentication.

You can also cut down on time spent searching by using some of the handy 2FA directories out there like the 2FA Websites List and the 2FA Directory. Both sites list popular services that support 2FA, offer additional information like what kind of 2FA they support and links to relevant help documents for each respective service.

How Common Types of Two-Factor Authentication Work

While we can't show you exactly how two-factor authentication will work on every service you enable it for, we can talk about the common 2FA methods you should expect to come across and how they work.

Email

If you've ever logged into a service and been prompted to check your email for a verification code, you've run into a very basic form of two-factor authentication.

We mentioned above that it's essential to keep your email secure, and this is why. Many services use basic email-you-a-code verification. If your email is compromised, so is every service you use that email for.

It's better than nothing, but if you're using a service that offers anything else on this list, you should enable it.

SMS & Voice Calls

Similar to emailing you a one-time-use code, SMS and voice-based 2FA sends the code to your phone either via text message or by robo-calling you and reading the code over the phone.

It's a far from perfect system as it's vulnerable to attacks like phone porting scams, but it's better than not having 2FA enabled at all.  If SMS is the only 2FA option available, you should use it as, imperfect or not, it makes it far more difficult for someone to access your accounts.

Dedicated Authenticator Apps

A significant step up from relying on email, SMS, or voice calls, dedicated authenticator apps are focused exclusively on generating one-time-use codes.

Google Authenticator was one of the first authenticator apps around and remains pretty popular (and the biggest user complaint, lack of cross-device syncing, was fixed as part of a massive overhaul to the app in April of 2023.) Authy and Duo are two other noteworthy and popular alternatives.

While not a stand-alone 2FA application, the popular password management app 1Password has a built-in authenticator to help you manage your 2FA tokens. 1Password also has a great feature related to 2FA: it will notify you if a service you have stored in your password vault supports 2FA and help you set it up right there. If you're looking for a one-stop shop for good password management and easy 2FA deployment, it's tough to beat 1Password.

Finally, it should go without saying that only use 2FA apps from reputable companies. Not only are you compromising your account security by using an insecure app, but in 2022 there was even a case of a malicious authenticator app installing malware and stealing banking information.

Mobile App Notifications

Some services will use their mobile app on your phone as a second form of identity verification. Google "Prompts" are an example of this kind of 2FA system, but they're hardly the only company that uses them.

You may log into the service on your home computer or your laptop away from your home network, and you'll get a message to open the company's app on your phone and confirm that you're the one logging into your account.

It's still 2FA, it's just set up as a single token delivery for a single service provider instead of a keychain arrangement with multiple tokens in a dedicated app like Google Authenticator or Authy.

Hardware-Based 2FA Keys

Hardware-based 2FA keys are exactly what they sound like---physical objects you use to authenticate your identity. Most physical 2FA keys on the market are a combination USB/NFC devices, so you can plug the key into your computer or hold it near a smartphone to activate it. A few standards exist, but most hardware-based 2FA keys use the FIDO Universal 2nd Factor Authentication (U2F) standard.

Just like you enter a one-time-use code off an authenticator app to confirm your identity, you can use the physical key to do the same. While it's undeniably, a very cool and secure way to do things, most people don't go the hardware key route and use their phone and authenticator app as a more convenient 2FA method.

However you're able to use 2FA though, it's a perfect time to enable 2FA on all the services you use that support it. While two-factor authentication isn't invulnerable to attack (a sophisticated man-in-the-middle attack or someone stealing your secondary authentication token and beating you with a pipe could crack it), it's radically more secure than relying on a regular password, and simply having a two-factor system enabled makes you a much less compelling target.