Two-Factor Authentication: An Extra Layer of Security

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

Two-factor authentication is a security verification process in which the user provides two means of identification. In most cases, one of the two factors will be something the user has, and the second will be something the user knows.

The first item is usually a physical token, such as a card, and the second is often a memorized code, such as a password. In other instances, such as when logging into a website, what you know is a password and what you have is a one-time code sent to your smartphone by the service you are attempting to access.

The idea is that the physical token is something that the user, and only the user, possesses. One example would be a debit card — the card is the necessary physical item, and the personal identification number (PIN) is the memorized info that the user knows to log into an ATM. The combination of dual security measures makes it harder for intruders to access bank accounts and steal from victims.

Two-factor authentication is sometimes abbreviated as "2FA" or "TFA" and is also known as two-step verification. It has become prevalent in the digital age.

Google, MSN, Twitter and Yahoo offer two-step authentication for user logins, and it’s also an option for other Web-based services such as Dropbox, WordPress and Amazon Web Services.

Two-factor authentication has become so commonplace that most users don’t even realize they are using it when they hand their debit cards to a clerk and punch in the codes.

[Related: How to Turn On 2-Step Verification]

Two-factor authentication can reduce the success rate of phishing expeditions, online fraud and identity theft. It requires more than just the victim's password, which, in the past, has been enough to give a thief access to information.

A downside to using two-factor authentication is that hardware tokens, such as a card or key fob, need to be issued, which can slow down business and cause problems for a company. If customers lose their tokens, requests for new ones can cause even more problems and hold up business processes. These physical items can become a hurdle when put in the actual hands of the users, as they are generally small and easy to transport.

Some companies use mobile phones, rather than cards or key fobs, as authentication devices. For example, you can set up Facebook to require, in addition to the typical username/password,  a single-use security code that can be sent to a user’s mobile phone. Whenever someone tries to access the account from an unknown browser, the security code is sent to the previously designated phone. If the legitimate user is the only person with access to the phone, this method will stop Facebook hacks and spammers.

However, two-factor authentication needs to be properly implemented. Apple, for example, offers it for iTunes Store accounts, but not for iCloud accounts, even though the same username and password will log into both.

An attacker who stole or cracked an Apple password could leverage iCloud to bypass two-factor authentication, such as by intercepting or redirecting password-reset messages sent to an iCloud email account. He could also read the user's email, erase his iPhone, get all his contact information and access his cloud-based documents.

And if the legitimate user hasn't yet set up Apple two-step verification for the iTunes Store, the attacker could do so instead, locking him out.

Tom's Guide Staff

Tom's Guide upgrades your life by helping you decide what products to buy, finding the best deals and showing you how to get the most out of them and solving problems as they arise. Tom's Guide is here to help you accomplish your goals, find great products without the hassle, get the best deals, discover things others don’t want you to know and save time when problems arise. Visit the About Tom's Guide page for more information and to find out how we test products.

Latest in Online Security
A person typing on a laptop with warning messages displayed on screen
240 million Windows 10 users are vulnerable to six different hacker exploits — update your PC now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in References
A woman lies in bed with her hands covering her face, looking upset due to sleep deprivation. A Tom's Guide Sleep Week 2025 graphic, bottom left
Long-term sleep deprivation has serious health risks — but they can be reversed, says expert
Project Astra AI agent
Project Astra — everything you need to know about Google's next-gen smart glasses and new AI assistant
Two people place a covered mattress in a van to move it to a new house
Which mattress brands offer old mattress removal?
Blonde woman laying on Brooklyn Bedding CopperFlex mattress in bedroom with wooden floor, wooden bed base and two bedside tables
What is copper in a mattress and does your cooling mattress need it?
A couple laying on Bear Elite Hybrid mattress with Celliant in bedroom with black pattern rug, grey headboard and black bedside tables with lamps
What is Celliant and does your cooling mattress need it?
A hand presses into the Nectar Classic Memory Foam Mattress to test the temperature regulation and pressure relief
Is a memory foam mattress right for you? We break down the pros and cons
  • Darkk
    I try to use two factor authentication whenever possible. Normally the one time code is sent to my mobile phone for verification. Works pretty well.
    Reply
  • pepe2907
    Well, I am asking myself - why they don't put 5 layers of security, or 10, why to stop at just two? Five layers of security will make things really more secure. The problem is - I'll lose half hour just to log in my mailbox /in which there's nothing interesting to anybody but me/ every time I want to check my new bunch of spam. And sometimes I need to check like 10+ times a day for work related messages, so making the login procedure more cumbersome really gets in my way.
    Reply
  • amdfreak
    None of the multifactor authentication helps when NSA taps in directly on the company's server.
    Reply
  • amdfreak
    @debramlopez786 => Is your sister doing striptease in order to make $66/hour on the internet ?
    Reply
  • clonazepam
    I think the NSA's working on backdoors into the hardware now. That's probably why Comcast keeps trying to give me a newer, faster router hehe =)
    Reply
  • teh_chem
    I'm always astonished that relatively mundane services like google and facebook have two-factor authentication, but none of my financial institutions implement it. Moreover, one of my banks doesn't even allow special characters in their password field, much less 2nd-factor authentication.
    Reply
  • drizzt_215
    2FA can be a chore, but it's worth it. I really like the direction that modern two-factor companies like Toopher are going. I enabled them on my Lastpass account and I dig it.

    It feels like we have a bit of a chicken-and-egg problem where users don't know about two-factor and those who do know about it, don't like it. But, without a market--without user demand--companies are not motivated to offer improved services. As pepe2907 implies above, people want improved security without the hassle.
    Reply