Two-Factor Verification: Does it really make a difference?

two-factor authentication labeled on a button on a computer keyboard with person about to press button

Anyone with online accounts or cell phones has probably received requests to enable two-factor authentication (2FA) by now. These invitations typically cite enhanced security as a reason to add this extra step to the login process, but how does 2FA work and why should we enable it on our devices and accounts?

Two-factor authentication helps maintain security by making it harder for hackers, thieves and other ne’er-do-wells to illicitly access accounts and private information. To keep out unwelcome eyes, 2FA requires something more than a password before granting account access. The “something else” can be a one-time numeric code or single-use password, a pre-established answer to a security question, a token or another technique to confirm the identity of the person trying to access the account.

Using a PIN along with an ATM card is the most common and familiar example of 2FA. With cybercrime on the rise, email providers and many other types of online services are establishing 2FA as a way to limit the potential for the wrong person to get in by pretending to be an authorized account user. The basic premise is that while a would-be imposter could steal your ATM card, guess your password or steal your phone, it’s less likely that this miscreant will simultaneously have access to your phone and your login credentials or your ATM card and your PIN. 

With 2FA enabled, users must enter another piece of information besides their username and password to satisfy the authentication mechanism. Often, this additional piece of information is time-sensitive, such as a temporary code that expires only a few minutes or hours after being issued. The secondary identification factor might go to a different device such as a cell phone or another computer.

You can also use 2FA apps like Google Authenticator, Microsoft Authenticator or a third-party authentication app such as 1Password or Authy. These apps live on your phone or computer and act as gatekeepers, denying access until you’ve entered an app-generated code or responded to a login notification.

Does 2FA really work to keep accounts secure?

Well, that’s complicated. The additional step does reduce the likelihood of a casual criminal successfully getting into your personal accounts. However, 2FA can’t stop phishing, phone cloning or brute force attacks to learn passwords.

Anyone who knows you well enough to answer security questions can still get in if they have your login credentials, and anyone who’s gotten email login credentials can also receive temporary codes or passwords that come to that email address. Codes that are texted to your cell phone limit access only as long as you’re the sole recipient of your text messages. And of course, should your phone be lost or stolen you won’t have access to authentication apps or see any texted codes – but a thief who manages to get past your lock screen might.

In short, 2FA helps keep your accounts secure but it isn’t a foolproof system. Choosing strong passwords, remaining alert to phishing attempts and keeping login credentials private (as well as unique for each account) are key strategies for maintaining online security with or without 2FA enabled. Do choose 2FA when you have the option, but don’t rely on it to keep your secrets and money safe. You can learn more about protecting your business and personal accounts by contacting the cybersecurity experts at HBP.