What is 2FA? A simplified guide to two-factor authentication


What is 2FA? Two-factor authentication is a multi-step process used to verify an identity during a login attempt. Read on to learn more.


It’s no secret that cybercriminals are hungry for passwords.

An unprotected password can help cybercriminals gain access to your bank account, credit cards, or personal  websites. From there, they can sell your personal information, gain access to your money, or compromise your  overall digital security.

But the battle isn’t lost. One way to quickly boost the safety of your online accounts is to enable two-factor authentication, aka 2FA. But what is 2FA?

In simple terms, 2FA adds an extra layer of security to your accounts by adding two (or occasionally more) layers of logins to your accounts. Let’s break this down even further, including how does 2FA work, types of two-factor authentication, and why two-factor authentication is so important.

Why is two factor authentication important?

Password Start

Passwords are historically weak, due to both the advanced nature of hacking and a  general annoyance with password creation and use. A Harris Poll found that nearly  50% of people use the same password across multiple accounts, increasing their  overall vulnerability if a criminal was to figure out their credentials. And beyond that,  over 100 million accounts still use the password “123456.”

With it becoming increasingly easy for cybercriminals to guess passwords, 2FA is more  important than ever. It might seem like a hassle to add an extra step to your web  surfing, but without it you could be leaving yourself vulnerable to cybercriminals who  want to steal your personal information, access your bank accounts, or hack into your  online credit card portals.

Adding the extra step to account access means thieves will struggle to access your  personal information. If you add a knowledge factor to your bank account, a  cybercriminal who knows your password won’t be able to access the account without  having your phone when it receives the verification code.

That way, those still relying on the password “password” have a better shot at keeping  their bank accounts secure.

How does 2FA work?

Two factor authentication explained

As the name suggests, two-factor authentication requires one extra step — meaning a  second factor — to log into an account. The process works as follows: 

  1. The user enters their username and password.
  2. The account, platform, or site prompts the user to input another form of  verification, such as texting a code to their mobile phone.
  3. The user enters the verification code to gain access to their account.

A good example of two-factor authentication in the real world is an ATM card. In  addition to physically presenting the card, you also need to type in your PIN to access  your account.

Types of 2FA security 

Types of factors for 2FA

There are several types of two-factor authentication, all of them relying on the different factors we’ve listed above.

  • Hardware tokens: This type of 2FA requires users to possess a type of physical token, such as a USB token, that they must insert into their device  before logging in. Some hardware tokens display a digital code that users must  enter.
  • SMS and voice 2FA: You’ll receive either a text or voice message giving you a  code that you must then enter to access a site or account.
  • Software tokens for 2FA: These tokens are apps that you download. Any site that features 2FA will then send a code to the app that you enter before logging in.
  • Push notifications for 2FA: You’ll download a push notification app to your phone. When you enter your login credentials to access a website, a push notification is sent to your smartphone. A message will then appear on  your phone requesting that you approve your login attempt with a tap.
  • Biometrics: To log into a site, you’ll first have to verify your identity with  something physical about yourself. Most commonly, this means using a  fingerprint scanner.
  • Location: If your account was created and registered in one state, and suddenly  a login is attempted in a different location, it may trigger a location factor.  These factors will alert you when a login is attempted on a new device and  send you a code to enter to verify your identity.

Now that you know the different types of 2FA verification, let’s learn how to enable it on your devices.

How to enable 2FA

Though not all sites use 2FA, some give you the option to activate it for your account.  For sites that enable 2FA, you can find the toggle to turn it on in your settings, usually  under the Security tab.

Some popular websites that do enable 2FA include: Amazon, Facebook, Instagram,  Dropbox, LastPass, LinkedIn, Intuit, TurboTax, Mint, PayPal, and Yahoo. For a complete  list of websites that have 2FA capabilities, visit this website.

Adding two-factor authentication to your high-priority accounts can help keep you —  and your money and personal information — more secure.

So, what is 2FA? It’s a cybersecurity tool that can improve the Cyber Safety of your  online accounts and even identity. From safeguarding online banking details to  medical history, 2FA verification is an everyday pillar of internet safety.

2FA security FAQs

Check out some frequently asked questions concerning the 2FA login process.

Is 2FA safe?

For the most part, 2FA is safe. Still, like most online activities, there are ways that  criminals can bypass 2FA security and access your account. For example, lost password recovery usually resets your password via email, and it can completely bypass 2FA.

Even though it's not 100% secure, 2FA can bolster your cybersecurity and is a recommended practice.

Can 2-step verification be hacked?

Yes, hackers can use certain phishing messages to work their way around 2FA login  processes.

What is the strongest 2FA method?

Hardware-based 2FA is regarded as the strongest form of 2FA verification.

How do I know if I have two-factor authentication?

You can check if your account or device has 2FA by going into your privacy settings in  your system preferences. You should see options for the different types of 2FA security  offered. 

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.