Two-factor authentication

Passwords are a weak shield to keep unwanted visitors out of your accounts. When it comes to account protection, two-factor authentication is one of the most effective defenses available. As name indicates, 2FA means we need two layers of authentication in order to access any application/resource.

Why are passwords so bad?

Usernames and passwords remain the most common form of user authentication. Reports looking at billions of leaked passwords show that people make embarrassingly simple passwords. This leaves it easy for hackers to guess.

As users open more accounts with various sites and services, it creates too many passwords to remember and paves the way for a dangerous habit: password recycling. It takes seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites. If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.

How does 2FA work?

In 2FA, username & password can still be your first authentication factor — so when you type in your username & password as normal, the site will redirect you to another page where you are required to verify the account ownership.

If our first layer of security is a user name and password then second layer should come from something else, and usually would fall into the following categories:

  • Something the user knows: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern.
  • Something the user has: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token.
  • Something the user is: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print.

With 2FA, a potential compromise of just one of these factors won’t unlock the account.

Common types of 2FA

Hardware tokens

Hardware tokens are small, like a key fob, and produce a new numeric code every 30-seconds. When a user tries to access an account, they glance at the device and enter the displayed 2FA code back into the site or app. Other versions of hardware tokens automatically transfer the 2FA code when plugged into a computer’s USB port.

The downsides to hardware tokens is that each MFA user will need to get a unit and they are easy to lose.

Software tokens

A user downloads and installs an app on their smartphone or desktop. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app.


After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message or email. Some people say the email flow is not strict 2FA if you are also using the same method of verification (email) in your username & password login.

Proceed with caution because text messages can be vulnerable to hacking.

We’ve seen how two-factor authentication is a relatively painless way to keep your accounts protected with more than just a password. Take some time to set it up now, and you can rest knowing your accounts have multiple layers of protection.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store