How Does Two-Factor Authentication Work?

When two-factor authentication is enabled, you must go through a second authentication process once you enter your username and password. Depending on how 2FA is set up, you may have to verify your identity using one of the following methods:

  • Something you know such as your mother’s maiden name or a personal identification number;
  • Something you have like your smartphone or credit card;
  • Something you are such as a scan of your fingerprint or the iris of your eye.

Two-factor authentication is more secure because even if your password has been compromised, there’s a good chance the hacker won’t have the second piece of information needed to complete the authentication process. For example, if a website is set up to send a code to your smartphone as the second form of authentication, there’s a good chance the hacker won’t have your smartphone in his or her possession. Therefore, the authentication will fail, preventing an unauthorized user from gaining access to your account.

The use of two-factor authentication helps users avoid the consequences of several password-related problems. Many people now have dozens of online accounts, making it difficult to remember the password to each one. As a result, some people write down their passwords, increasing the risk that an unauthorized individual will be able to access a private account. Password recycling is also a common problem. This occurs when people use the same password for multiple accounts. Hackers take advantage of password recycling by testing stolen usernames and passwords against popular websites. If you use the same username and password for multiple sites, the hacker will be able to use your stolen credentials from one site to log in to multiple accounts.

Types of Two-Factor Authentication


Biometric authentication is one of the most secure forms of 2FA because it relies on something you are. It’s very unlikely that a hacker will be able to capture your fingerprints or voice, and the technology is so new that hackers haven’t had a chance to develop effective methods of bypassing it. Another reason biometric authentication is so secure is because fingerprints, voice prints, hand shape, and other accepted forms of authentication contain many data points. Even if a hacker could replicate one point, it would be extremely difficult to replicate them all. When used by corporations, biometric authentication also reduces costs by eliminating the need for key cards and security passes.

Push Notifications

Push notifications alert you when someone is trying to access one of your accounts. If a website uses push notifications, you’ll receive a notification on your smartphone or other device every time you attempt to log in. When the notification pops up, you’ll be able to approve it immediately, reducing the amount of time it takes to access your account. If an unauthorized person attempts to log in, you’ll be able to deny the attempt. One of the main drawbacks of this type of 2FA is that you may have difficulty receiving the notifications if you’re in an area with a poor internet connection.

SMS Messages or Voice-Based Authentication

SMS and voice-based authentication use your smartphone to control access to your online accounts. For sites using SMS authentication, you enter your username and password as usual. Then, the website sends you a text-message containing a one-time passcode that can be used to complete the second step of the authentication process. Voice-based authentication works much the same way. Instead of sending you a one-time passcode via SMS message, the website automatically calls your smartphone. When you answer the call, you receive a one-time passcode from the automated voice system.

Software Tokens

Software tokens are an alternative to SMS and voice-based authentication. Instead of receiving a one-time passcode via text message or phone call, you must download and install a 2FA application on your computer or mobile device. After entering your username and password, you must check the 2FA application and enter the code that appears. In many cases, the code is valid for only a minute; if you don’t enter it within the allotted time, you’ll need to generate a new code to access the website. A major advantage of using software tokens is that there’s a reduced risk of passcode interception because you use just one device to generate and display the code.

Websites and Apps That Use Two-Factor Authentication

Although many websites still rely on usernames and passwords, two-factor authentication isn’t a new form of technology. In fact, the chip-and-pin technology used to prevent the unauthorized use of debit and credit cards was developed nearly two decades ago. Since then, companies in many industries have implemented two-factor authentication to make their sites more secure. These industries include banking, education, finance, entertainment, gaming, and retail. Several major companies, including Facebook and Google, now offer two-factor authentication to protect your personal information. All you have to do is log in to your account and enable 2FA.

Additional Resources