How And Why To Use Two-Factor Authentication

Have you noticed that many login pages have a place to enter a code or token in addition to your password? You may have thought, “Why would I need that? I already have a password for logging in.” Let me explain why adding that layer of security is a good idea.

The Threat

Imagine that to use an ATM, all you needed was either a PIN or an ATM card, not both. How easy would it be for someone to withdraw money from your account? If they guessed or learned your PIN, they’d have the ATM spitting dollar bills at them. If they stole or found your ATM card, that too would grant them access to your money. Not good, right?

Fortunately, an ATM requires both your PIN (something you know) and the ATM card (something you have). Because it’s much harder to get both of them at the same time, your bank account is safer.

Now think of an online account. If it’s only protected by a password (something you know), then all it takes for someone to get access is to guess or steal your password (or guess your security questions). Unfortunately, with the growing number of data breaches, that’s not too difficult. It’s like having an ATM that only requires a PIN.

But if that online account also requires you to get a code from your phone (something you have), that would be like an ATM that also requires an ATM card. And just as that ATM would be more secure, so too your online account would be more secure.

How to Increase Your Security Using Two-Factor Authentication

Let’s go back to the website that asks for a code when you log in. That code is like your ATM card. When you log into a website, you enter your password (something you know) and the code from your phone (something you have). This is called two-factor authentication. Your password is your first factor of authentication. The code from your phone is your second factor.

So, how can you use this to make your accounts more secure?

How to Set Up Two-Factor Authentication

After you log in, look in the settings for a way to enable two-factor authentication. You may also see it called security codes, two-step verification, 2FA, or multi-factor authentication (MFA). The code may also be called a token. Look in the Security and Privacy sections of your Settings, or under Account or Profile.

If you can’t find the option within a few seconds, look up the site on and Those sites have instructions for enabling two-factor authentication on many websites.

Once you find the option, click through the steps to enable it. Here’s how to enable two-factor authentication on Facebook:

Many websites still offer the option of sending codes by text message (SMS). That’s unfortunate, because text messages can be intercepted and spoofed. In other words, it’s not difficult for hackers to receive your text messages, even without your phone. You can learn more about this in the Further Reading section below. For these reasons, it’s more secure to use a hardware token (I like YubiKey) or an authentication app (such as Authy, which is what I use, or Google Authenticator).

Two-factor authentication (2FA) is only as strong as your weakest 2FA method. So if an account offers multiple methods (hardware key, authentication app, SMS/text, etc.), and you choose one other than SMS/text, then do not also enable SMS/text. If a hacker can’t get past one method, they’ll try another. That means it won’t matter if you have a stronger method such as an authentication app-enabled, because the hacker will go after the weaker SMS/text.

Besides the security problem, there are other problems with text message authentication. If you don’t have phone service, you won’t receive the texts. Even if you have service, sometimes text messages take minutes to arrive, rather than seconds. Authentication apps don’t have any of these problems.

Of course, if the only way a website will let you use two-factor authentication is through texts, then use that option! It’s better than not using two-factor authentication.

Be aware that some websites won’t send codes to “virtual phone numbers,” phone numbers that use VoIP (Internet phone service). I have a Google Voice number, and some websites won’t send SMS/text messages to it. I need to use my traditional mobile phone number instead.

Most websites will allow you to create backup codes. Those are useful in case your phone is lost or stolen. Be sure to create the backup codes, and store them somewhere secure. I store mine in LastPass, in the Notes field of the website they go to.

LastPass: Secure Password Management

LastPass helps you remember and manage your secure passwords all in one place. Never forget a password again.

Check Out LastPass
We may earn a commission if you click this link and make a purchase at no additional cost to you.

If a website doesn’t support two-factor authentication, contact them and ask them to add the option for the sake of the security of their users.

How to Use Two-Factor Authentication

So you’ve set up two-factor authentication for your account. Nice work! You can start using it the next time you log into your account. Here’s the general process:

  1. You visit a website and enter your username and password.
  2. If this is the first time you’re accessing your account from a particular device (computer, phone, tablet), you’re asked for a second factor to confirm that you are who you say.
  3. You get a code from your phone, either from an authentication app, or from an SMS/text message.
  4. You enter the code on the webpage.
  5. If your code is correct, you’re logged in!

Most websites will remember your device (using cookies) so you don’t need to enter a code each time you log in, only when you log in on a new device. And you’ll be asked if you want the system to remember your device. If you’re not using one of your own devices, say no!

I highly recommend that you use two-factor authentication for any accounts that contain sensitive data. I especially recommend it for any accounts that contain financial or medical data, or other personally identifiable information. That includes any site that allows you to pay, donate, send, or receive money. But also think of how much damage someone could do by accessing other accounts, such as your email or social media accounts. It’s better to be safe than sorry!

If a website allows you to use more than two factors, consider doing that, especially if it’s an account that contains sensitive data that you want to protect.

You may wonder, “What happens if I lose my phone? Will I be unable to log into my account?” The answer is yes, unless the account allows you to enter backup codes or log in some other way (such as through security questions). That’s why it’s so important to create backup codes (see above).

Further Reading

What You Should Do

  1. Enable two-factor authentication for any account that contains sensitive data, or that you wouldn’t want to be hacked.
  2. Whenever possible, use a hardware token (such as YubiKey) or an authentication app (such as Authy or Google Authenticator) rather than receiving codes by text message or email.
  3. Create backup codes in case you’re ever without your phone when you need to log in. Save them securely, such as in your password manager or on paper in a safe.
LastPass: Secure Password Management

LastPass helps you remember and manage your secure passwords all in one place. Never forget a password again.

Check Out LastPass
We may earn a commission if you click this link and make a purchase at no additional cost to you.
Keeper: Personal and Business Password Manager

Keeper is a top-rated password manager for protecting you, your family, and your business from password-related data breaches and cybersecurity threats.

Check Out Keeper
We may earn a commission if you click this link and make a purchase at no additional cost to you.
1Password: Password Manager For Homes and Businesses

1Password remembers all your passwords, so you can easily log in to sites with a single click.

Check Out 1Password
We may earn a commission if you click this link and make a purchase at no additional cost to you.
Dashlane: Password Manager App For Home, Mobile, and Business

Dashlane fills all your passwords, payments, and personal details wherever you need them, across the web, on any device.

Check Out Dashlane
We may earn a commission if you click this link and make a purchase at no additional cost to you.

2 thoughts on “How And Why To Use Two-Factor Authentication”

  1. It is also possible to authenticate using hardware tokens (a self contained security device that produces one time passwords) or by using authentication apps – both alternatives are more secure than using SMS.


Leave a Comment