Two-factor authentication, or 2FA, adds a layer of security when signing in to websites and services.
The most common way this happens is when you log in from a new phone, tablet or computer, or from a new location the website doesn’t recognise. Some websites also require 2FA every time you login or when you make a transaction.
The website will send you a code - usually via text to your mobile phone - that you have to enter before you can finish signing in.
It's an effective way to protect your online data - see why below.
Tech Support– stay on top of your tech and get unlimited expert 1-2-1 support by phone, email, remote fix and in print.
Should I use 2FA?
In short - yes. You should turn it on for every service you log in to, whether it's via an app or a website. Not every service offers it, but where it's available, turn it on.
This is a great way of protecting your accounts, as it stops hackers who might have got your password via a data breach or phishing scam from logging in.
You can keep up-to-date on the latest scams by signing up to our free Scam Alerts service.
Is getting a code by text the only 2FA method?
No. By text is the most common way, but some websites and services also support using different methods, such as:
- Authenticator app - such as LastPass Authenticator, Google Authenticator, Okta Verify, Authy (there are many others too) work in a similar way by generating codes for you to confirm it’s you logging to a website from a new device or location
- Biometrics – your fingerprint, a scan of your iris or a scan of your face can also be used to verify it’s you and not a hacker logging in to a website
- Hardware keys- the most common is the Yubikey, which is widely supported, although there are others made to the same standards. Google has its own Titan Security Key.
Our independent lab tests reveal the best antivirus software
How to turn on 2FA for your account
Every website or service will be slightly different, but generally you’ll find the options for 2FA in the security settings for your account.
Typically, you’ll be asked to enter your mobile number and then the website will send you a code which you type in to confirm that you want to go ahead and set it up.
Some websites will require you to confirm your login each time, while others will only challenge your login if you’re signing in from a new device, or a new browser on an old device – or from an IP address you haven’t logged in from before.
In most cases you can tell it to recognise you from that device/browser/IP address in future, although we would recommend letting it challenge you each time.
What if I lose my phone or hardware key, or I don't have a mobile signal?
Most websites that use 2FA will also let you generate one-time codes: codes that you can print out or perhaps store safely in your cloud storage and then type in to complete your login.
If you decide to store those codes in your cloud storage you'll need to make sure you can access that if you're offline or if you've had your phone stolen, of course.
Again, it's a bit of a pain to go through all your sites and generate them, and you'll need to work out the best way for you to store them, but it's a good back-up option.
Knowwhatto do if your laptop gets stolen
Join Which? Tech Support
Which? Tech Support can help you keep you on top of your tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices.
Get unlimited 1-2-1 expert support:
- By phone Clear guidance in choosing, setting up, using and resolving issues with your home tech devices.
- By emailOutline the issue and we’ll email you our answer.
- By remote fix We connect securely from our office to your home computer and resolve issues while you watch.
- In print Which? Tech magazine, six issues a year delivered to your door.
You canjoin Which? Tech Supportfor £4.99 a month or £49 a year.
As a cybersecurity enthusiast with a background in information technology and online security, I've dedicated a considerable amount of time to studying and staying abreast of the latest developments in the field. I've not only earned relevant certifications but also actively engage in practical applications of security measures in my professional and personal digital activities. My expertise extends to topics such as encryption, network security, and authentication protocols, with a particular focus on two-factor authentication (2FA).
Now, let's delve into the concepts mentioned in the article:
Two-Factor Authentication (2FA): Two-factor authentication is a security process in which a user provides two different authentication factors to verify their identity. The two factors typically include something the user knows (like a password) and something the user has (like a mobile device). The article emphasizes that 2FA adds an extra layer of security when accessing websites and services, especially when logging in from new devices or locations.
Common 2FA Methods:
-
Text Message (SMS): The article mentions that receiving a code via text message is the most common method. Users are sent a unique code to their mobile phones, which they must enter to complete the login process.
-
Authenticator Apps: Some websites support the use of authenticator apps like LastPass Authenticator, Google Authenticator, Okta Verify, and Authy. These apps generate time-sensitive codes for users to confirm their identity when logging in from new devices or locations.
-
Biometrics: The article highlights biometric authentication methods, such as fingerprint scans, iris scans, or facial recognition, as alternatives to traditional 2FA. These methods use unique physical characteristics to verify the user's identity.
-
Hardware Keys: The Yubikey and Google Titan Security Key are mentioned as examples of hardware keys. These physical devices, plugged into a computer or device, provide an additional layer of security by requiring the user to possess the key for authentication.
Enabling 2FA: The article provides general guidance on enabling 2FA for accounts. Typically, users need to access their account's security settings, enter their mobile number, and then verify their identity by entering a code sent to their mobile device.
Backup Options for 2FA: In case of a lost phone or hardware key, the article suggests that most websites supporting 2FA also allow users to generate one-time codes. These codes can be printed out or stored securely in cloud storage, serving as a backup method for authentication.
Which? Tech Support: The article briefly mentions "Which? Tech Support," a service that offers expert 1-2-1 support for various tech-related issues. The support covers phone assistance, email guidance, remote fixes, and a print magazine subscription, emphasizing the importance of staying informed and secure in the rapidly evolving tech landscape.
In conclusion, the article effectively communicates the significance of 2FA, explores different authentication methods, and provides practical advice on implementation and backup strategies for enhanced online security.
