Skip to main content


You are here:

Two-Factor Authentication: What You Need to Know

You may have noticed lately that more businesses have made signing in to your online account more of a hassle. Most of the time, this is a one-time passcode that’s sent to your phone number or email. This is an example of two-factor authentication, a method of proving your identity. Two-factor authentication is a concept in cybersecurity that tries to make it more difficult for someone to access your personal info online. If you’re running an online business or just a consumer struggling to understand why there’s this extra step, here’s a brief explanation of two-factor authentication and how it helps you stay secure.


In cybersecurity, authentication is the process of proving that someone is who they say they are. This is to give that person permission to carry out specific actions. If you’re an average consumer, authentication is you proving to your online bank app that it’s actually you, so you can manage your finances online. In the past, this was accomplished with a simple username and password combination. As hackers have gotten more sophisticated and computing power has improved, it has gotten easier for criminals to guess a simple password. For instance, the password “password” (one of the most commonly used on the internet) takes .19 milliseconds to crack using modern software. Even though making passwords more complex will increase the time it takes to crack, it’s still possible. Hackers can also try to gain access to your recovery email and reset your password that way. If the website you’re using uses a username/password combination, anyone who knows that information can impersonate you.

The combination of a username and password is an example of single-factor authentication. In this context, a “factor” can be broken into four categories – something you know, something you are, something you have, or something you do. While you can increase the complexity of one-factor authentication, it’s only so effective. As mentioned above, a criminal might be able to hack the email account you use to recover a forgotten password or to gain access to a company’s server that stores customer passwords. Your data could easily be included in the data breaches you hear about in the news where online companies lose the data for millions of customers to criminals. In those cases, log into your account and change your password immediately. These cases illustrate the point that single-factor authentication is not foolproof.


Adding a second factor to the authentication process gives you more security because the odds are low that a criminal has access to both factors. Using your debit card to get cash at an ATM is a classic example of two-factor authentication. It requires you to both have something (the card), and know something (the pin). That annoying one-time passcode your bank or email sends your phone is another example of two-factor authentication. It requires you to remember your password and to have your phone number. Some companies and government organizations have a token that’s used for logging in. It’s basically an identification card that stores digital certificates that prove you’re you. They also require a pin or password to fully authenticate.

Biometrics, the use of parts of your body (face, fingerprints, retinas, or your DNA), is single-factor authentication in the “what you are” category, and are much harder for a criminal to fake. As long as the software and hardware are properly calibrated, these methods of authentication are secure and almost impossible to be fooled. Even if you’ve never encountered them in real life, movies abound with high-tech areas that require a handprint or a retinal scan to access. While these systems can have vulnerabilities, they are much more secure than traditional passwords. As biometric recognition software and hardware becomes cheaper and more prevalent, expect online systems to start using it as a form of two-factor authentication.


You may also hear the term multi-factor authentication, which is a catch-all term for anything more than one-factor. This generally refers to two-factor, though there are organizations that require even more security measures to be in place. In this case, you might be required to have some form of access card, know a unique pin, and submit to a retinal scan to authenticate yourself. Again, each added factor makes it increasingly unlikely that a criminal can successfully fool the system. However, each additional factor adds equipment and maintenance costs, requires hiring more personnel to manage, and requires employees and customers to jump through more hoops to comply. This is a constant struggle in business, making information more available to the people that need it vs. keeping that information secure. There are costs associated with each.

In the end, the level of authentication a business uses should be tailored to meet their needs. Banking and healthcare systems need to be secure because of the sensitive information they store, while something like an online publication may not need to be as secure. As a consumer, you should treat each online transaction or activity as if someone is trying to get your information, and you should take the appropriate steps to protect yourself. If it’s just a password to log in, pick a complex one, or better yet, a specific phrase that only means something to you. If you are prompted to use additional factors to authenticate, be sure to use them as well. The company in control of your information is just trying its best to keep you safe.