Two-Factor Authentication: An Extra Layer of Security

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

Two-factor authentication is a security verification process in which the user provides two means of identification. In most cases, one of the two factors will be something the user has, and the second will be something the user knows.

The first item is usually a physical token, such as a card, and the second is often a memorized code, such as a password. In other instances, such as when logging into a website, what you know is a password and what you have is a one-time code sent to your smartphone by the service you are attempting to access.

The idea is that the physical token is something that the user, and only the user, possesses. One example would be a debit card — the card is the necessary physical item, and the personal identification number (PIN) is the memorized info that the user knows to log into an ATM. The combination of dual security measures makes it harder for intruders to access bank accounts and steal from victims.

Two-factor authentication is sometimes abbreviated as "2FA" or "TFA" and is also known as two-step verification. It has become prevalent in the digital age.

Google, MSN, Twitter and Yahoo offer two-step authentication for user logins, and it’s also an option for other Web-based services such as Dropbox, WordPress and Amazon Web Services.

Two-factor authentication has become so commonplace that most users don’t even realize they are using it when they hand their debit cards to a clerk and punch in the codes.

[Related: How to Turn On 2-Step Verification]

Two-factor authentication can reduce the success rate of phishing expeditions, online fraud and identity theft. It requires more than just the victim's password, which, in the past, has been enough to give a thief access to information.

A downside to using two-factor authentication is that hardware tokens, such as a card or key fob, need to be issued, which can slow down business and cause problems for a company. If customers lose their tokens, requests for new ones can cause even more problems and hold up business processes. These physical items can become a hurdle when put in the actual hands of the users, as they are generally small and easy to transport.

Some companies use mobile phones, rather than cards or key fobs, as authentication devices. For example, you can set up Facebook to require, in addition to the typical username/password,  a single-use security code that can be sent to a user’s mobile phone. Whenever someone tries to access the account from an unknown browser, the security code is sent to the previously designated phone. If the legitimate user is the only person with access to the phone, this method will stop Facebook hacks and spammers.

However, two-factor authentication needs to be properly implemented. Apple, for example, offers it for iTunes Store accounts, but not for iCloud accounts, even though the same username and password will log into both.

An attacker who stole or cracked an Apple password could leverage iCloud to bypass two-factor authentication, such as by intercepting or redirecting password-reset messages sent to an iCloud email account. He could also read the user's email, erase his iPhone, get all his contact information and access his cloud-based documents.

And if the legitimate user hasn't yet set up Apple two-step verification for the iTunes Store, the attacker could do so instead, locking him out.

Tom's Guide Staff

Tom's Guide upgrades your life by helping you decide what products to buy, finding the best deals and showing you how to get the most out of them and solving problems as they arise. Tom's Guide is here to help you accomplish your goals, find great products without the hassle, get the best deals, discover things others don’t want you to know and save time when problems arise. Visit the About Tom's Guide page for more information and to find out how we test products.

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in References
A woman stays awake in the night because she needs to fix her sleep schedule
"Your body and mind are pushed to their absolute limits" — expert reveals how long you can go without sleep
Attractive heavy woman sitting on a bed smiling at the camera
Your mattress' weight limit might be the reason you can't sleep — here's why
Zoma Boost mattress
What is graphite in a mattress and does your cooling mattress need it?
The Saatva Classic mattress photographed in a stylish white pool room with an indoor river
Do you need a discount code to get the cheapest prices on Saatva mattresses? No and here's why
A mattress placed on a wooden floor with a Tom's Guide Sleep Week 2025 logo in the top left corner
Ditching the bed this World Sleep Day? 3 things you need before putting your mattress on the floor
A woman lies in bed with her hands covering her face, looking upset due to sleep deprivation. A Tom's Guide Sleep Week 2025 graphic, bottom left
Long-term sleep deprivation has serious health risks — but they can be reversed, says expert
  • Darkk
    I try to use two factor authentication whenever possible. Normally the one time code is sent to my mobile phone for verification. Works pretty well.
    Reply
  • pepe2907
    Well, I am asking myself - why they don't put 5 layers of security, or 10, why to stop at just two? Five layers of security will make things really more secure. The problem is - I'll lose half hour just to log in my mailbox /in which there's nothing interesting to anybody but me/ every time I want to check my new bunch of spam. And sometimes I need to check like 10+ times a day for work related messages, so making the login procedure more cumbersome really gets in my way.
    Reply
  • amdfreak
    None of the multifactor authentication helps when NSA taps in directly on the company's server.
    Reply
  • amdfreak
    @debramlopez786 => Is your sister doing striptease in order to make $66/hour on the internet ?
    Reply
  • clonazepam
    I think the NSA's working on backdoors into the hardware now. That's probably why Comcast keeps trying to give me a newer, faster router hehe =)
    Reply
  • teh_chem
    I'm always astonished that relatively mundane services like google and facebook have two-factor authentication, but none of my financial institutions implement it. Moreover, one of my banks doesn't even allow special characters in their password field, much less 2nd-factor authentication.
    Reply
  • drizzt_215
    2FA can be a chore, but it's worth it. I really like the direction that modern two-factor companies like Toopher are going. I enabled them on my Lastpass account and I dig it.

    It feels like we have a bit of a chicken-and-egg problem where users don't know about two-factor and those who do know about it, don't like it. But, without a market--without user demand--companies are not motivated to offer improved services. As pepe2907 implies above, people want improved security without the hassle.
    Reply