We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Coronavirus Read our latest advice

What is two-factor authentication (2FA) and why should you care?

Strong passwords can go some way to protecting you online, but 2FA adds an extra layer of security to your accounts and data

What is two-factor authentication (2FA) and why should you care?

When an online security compromise takes place, there’s the potential for it to have a truly detrimental effect on our life – plus the lives of those around us. 

At the least, a compromise might mean someone or an organised group gaining access to your personal Twitter account. At worst, it could result in fraudsters hacking into your bank account and stealing your life savings, or criminals logging into your home’s smart security camera to see when you’re not at home.

Frightening stuff, but it’s also something that can potentially be prevented with the right know-how.

Last month, Which? Computing editor Kate Bevan gave expert advice on how to create strong passwords. This time, Kate is going one step further and introducing you to two-factor authentication (sometimes referred to as 2FA), a doubly effective way to protect your digital accounts.

Discover how an antivirus software package could keep you safe online.

What is 2FA (two-factor authentication)?

2FA is two-factor authentication: that’s when you add a second step to the log-in process. So rather than just typing in your password, you have to complete a second step, too. That can be typing in a code sent to you by SMS or generated by an app on your phone; it can be plugging in a security key – a special USB stick – to confirm your identity to the website you’re logging into, or it can be confirming that it’s you with a fingerprint or a scan of your face.

There’s also multi-factor authentication (MFA), which adds an additional layer to the log-in process (visualised in the graphic below), but 2FA is by far the most commonly used and widely available, and that’s our focus in this article.


Why should I enable 2FA for my online logins and accounts?

If I could pick just one thing to tell people to do to protect their accounts, it would be to enable 2FA wherever you can. It will stop most hacking attempts in their tracks, because the second factor depends on something being with you: your phone, your fingerprint or your security key.

Note that it’s not completely impossible to get past 2FA, but it will prevent most attempts. It’s particularly important to turn it on for any account where you have payment details stored.

Can I enable 2FA on every website, app and digital service?

Unfortunately not. We think that well-known brands with millions of customers, such as Deliveroo and Netflix, which currently don’t offer 2FA, should do so.

Popular websites that have stored your card details, and email and social media accounts which likely contain a treasure trove of personal data, should be a priority. For example, Uber allows you to activate two-step verification via ‘Security’ in your account.

Email

Email is one of the most important services to secure with 2FA: it’s the gateway to all your other online accounts. A hacker getting into your email account can cause havoc.

All the major email service providers, including Aol, Gmail, Outlook, Yahoo and Zoho, offer two-factor authentication. Some allow you to authenticate via SMS, phone call or another verified email account. This function is typically found in the security section of your account settings.

Social networks

Social networking sites, such as Facebook, Instagram, LinkedIn, Snapchat and Twitter, offer 2FA to try and prevent hackers accessing your accounts. There are all sorts of potential risks if someone hacks your account, not least hijacking your profile to impersonate you and contact your friends or family to ask for money, or harvesting personal details to build up a detailed profile of you to commit fraud.

If the website or service you’re using doesn’t offer 2FA, make sure you at least have a strong password. Also make sure that your password is unique – ie not used for any other of your online accounts, nor a variation of them.

Banking

When it comes to online banking, from March 2020 banks will need to have introduced a multi-layered approach to logging in, as part of new ‘strong customer authentication’ regulations. Some banks have been doing this for a while, while others have been lagging shamefully behind.

You’ll need to have set up an authorised device or provided an up-to-date mobile phone number for this to work. For example, Nationwide Building Society will send one-time SMS codes to the mobile number stored on your account each time you log into your online banking. First Direct has a service called a Secure Key or Digital Secure Key for mobile banking.

Find out more in our guide to safety in online banking.

Can 2FA be compromised?

Yes, it can. The most common way this happens is via what’s called a Sim-swapping attack. This is where a criminal convinces your mobile provider to give them a Sim card in your name and with your mobile number so that they get all your 2FA codes from websites.

SMS codes could also be stolen in a man-in-the-middle attack. SMS messages aren’t encrypted and so can be intercepted when they’re sent to your phone.

If you use biometrics as your second factor – facial recognition or a fingerprint – someone who is with you could quickly and easily get access to your accounts. That could be a violent attacker, but it could also be an official at a border simply holding your phone up to your face, or even your child holding your phone to your finger while you’re asleep to buy things online.

This is why security experts warn against using SMS or biometrics for 2FA and instead recommend using either an authenticator app such as Google Authenticator or Authy, which generates the codes on your phone, or a security key such as a Yubikey.

Will a strong password do the trick on its own?

A strong, unique password is better than a weak password at protecting your accounts, but adding the second factor gives an added layer of protection – and greater peace of mind.

Back to top
Back to top