• United States



Josh Fruhlinger
Contributing writer

2FA explained: How to enable it and how it works

Sep 10, 20199 mins

Two-factor authentication (2FA) can boost security for anyone using any kind of online service, from Google to Fortnite.

Multi-factor authentication (MFA) / two-factor authentication (2FA) / one-time security code
Credit: DCDP / KrulUA / Getty Images

What is 2FA?

Two-factor authentication (2FA) is a method of establishing access to an online account or computer system that requires the user to provide two different types of information.

A factor in this context simply means a way to convince a computer system or online service that you are who say you are, so the system can determine if you have the rights to access the data services that you’re trying to access. By far the most common authentication factor in use today is the username/password pair, and since most accounts only require a password for access, most systems thus use single-factor authentication for security. With two-factor authentication, you’ll need to both provide a password and prove your identity some other way to gain access.

As passwords have become increasingly less secure, whether through data breaches or poor user practices, more and more individuals are moving to 2FA to secure their digital lives — and many service providers are encouraging or mandating the shift as well.

Why use two-factor authentication?

We’ll dive into the details of how different two-factor authentication methods work in a minute, but before we go there, let’s first answer the question why. After all, passwords have been the standard for everyday infosecurity for a generation now. Adding an additional step just makes logging in to your account more difficult. Why bother?

One of the primary reasons, as Hacker Noon notes, is that widespread major data breaches, which have put millions of email address/password pairs up for sale on the dark web, have made many passwords less secure. Most people reuse passwords across multiple sites and accounts; a hacker can plug in known email address/password pairs into dozens of sites and see which of them provides access. Verizon’s 2017 Data Breach Investigations Report found that 81 percent of account breaches could be put down to passwords that were either leaked in this way, or passwords that were so weak (e.g., “passw0rd”) that they were trivially easy to guess.

Many sites use so-called security questions or knowledge-based authentication — “What’s your mother’s maiden name?” or “What was the city where you were born?” as a sort of backup to passwords. Such questions are often posed over and above a password if a user is logging into a site from a new computer or new network connection, for instance. Still, there are weaknesses here: for instance, with so much personal information publicly available for those who know where to look, a determined hacker could probably figure out the answers to these questions for a compromised accounts, or bypass them via social engineering attacks. But more importantly, as we’ll see in a moment, they don’t represent a true second security factor, and therefore can’t provide the layered security of two-factor authentication.

How does two-factor authentication work?

To understand what real two-factor authentication looks like, we need to revisit the concept of a factor. A password fits the definition we gave above, for instance, but for our purposes we want to think of it in more abstract terms: it’s something you know. This explains why knowledge-based authentication doesn’t represent real 2FA; you’re just backing up something you know with something else you know. In essence, the answer to your security question is just another password, and subject to all the same weaknesses.

True 2FA pairs your first authentication factor — still a password (i.e., something you know), in the vast majority of cases — with a second factor of an entirely different kind, such as:

  • Something you have
  • Something you are
  • Somewhere you are

Users will need to supply both of these factors to get access to their accounts.

Two-factor authentication examples

Confused about what those factors might mean in practice? Let’s take a look at some examples, starting with the “something you have” factor. Consumer Reports has a good look at the different options involved here, some of which you may already be familiar with. Perhaps the granddaddy of this type of security factor — maybe the granddaddy of two-factor authentication altogether — is the RSA SecurID. First released in 1993, SecurID used a small physical device with a small onboard screen that displayed periodically changing random numbers, generated based on a “seed” programmed in at the factory. Users would need both a password and the number from their SecurID token at any given moment to log in to sensitive areas.

There are other gadgets that can fulfill the “something you have” part of a 2FA equation: There are smartcards and physical security keys, which can connect to computers via USB or Bluetooth. Google famously has cut down on security incidents after mandating them internally. These devices need to be plugged into or paired with the computer you’re using in order to access 2FA-protected accounts that use them.

But providing a separate, specialized security gadget to each of your users and expecting them to carry it with them whenever they might want to access your systems is expensive and cumbersome. That’s why, in by far the most common forms of 2FA in use today, the “something you have” is the gadget you already carry with you all the time: your smartphone. In the simplest version of this, after using a username and password to log into a site, the user is then sent a numeric code as a text message to a phone number they provided when setting up their account; that code is necessary to gain access to the site. In a somewhat more complex version, a website will offer a QR code that’s scanned on a corresponding smartphone app. Smartphones can also serve, via specialized apps and a Bluetooth or USB connection, as a security token in the sense we discussed above.

What about “something you are”? This factor gets us into the realm of biometrics, the science of computers establishing identity by examining your physical person. A password must be paired with a thumbprint or retina scan or some similar factor in order to access protected data. And just as ubiquitous smartphones made the “something you have” flavor of 2FA much simpler to promote, so too do the fingerprint readers and facial recognition software in most high-end phones put the seemingly sci-fi world of biometrics within reach; many biometric 2FA implementations simply leverage the built-in capabilities that users’ phones already have. There are legitimate doubts about biometrics — concerns that databases of fingerprint data can be cracked as easily as lists of passwords, for instance — but with users increasingly comfortable opening their phones with their thumb or their face, this method will probably become increasingly popular.  

The third type of authentication we mentioned — location-based — isn’t widely used, although various experimental proposals have been floated. Some sites implement a weak version of this by requiring another method of authentication if a user logs in with a password from an unusual location. Often this is just a knowledge-based security question, though sometimes it might be another security factor that we’ve discussed, like entering a code delivered via text message.

Multi-factor authentication

A scenario like the one described above — where a password, a user’s location, and a message sent to their user’s phone are all combined to authenticate their identity — actually involves three factors. In fact, two-factor authentication is just a subset of the larger concept of multi-factor authentication, since in theory you could pile on any number of required hoops users would have to jump through to gain access to secured data. In practice, two is as many factors as an ordinary user would encounter, though obviously even that can’t offer total protection

Enable 2FA

As a consumer, enabling two-factor authentication for all your accounts can be a daunting process. The Verge has put together a detailed and frequently updated list of major service providers, including Apple and all the major social media sites, along with instructions on how to enable 2FA for your accounts there. We’re going to provide more specific resources for two major sites so you can get a sense of some of the issues involved with the process.

2FA for Google

Google refers to its two-factor authentication as “Two-Step Verification,” and walking through the steps on Google’s landing page for the service will get you started. Once you’ve set things up, Two-Step Verification will secure your Google account and all the services tied to it; when you log into your Google account, you’ll receive a code via text that you’ll need to enter as well, or you can order a Titan Security Key if you prefer a physical security token. You can choose to disable 2FA for certain trusted computers, if you prefer; this will mean you don’t have to constantly deal with multiple security factors when you’re at home, for instance, but anyone logging in remotely will have to put in the extra work to prove they’re you.

2FA for Epic Games and Fortnite

Epic Games, creator of the wildly popular Fortnite game, also allows you to set up your account with two-factor authentication. Windows Central breaks down the reasons why this is one account in particular you’ll want to double-protect: a lot of scammers target the game’s younger players with tempting links that offer free Vbucks, Fortnite’s in-game currency. These are in fact phishing scams that aim to harvest your login credentials and get access to your account (and whatever payment information you’ve saved to actually buy Vbucks). If you’re a parent of Fortnite-loving kids, you should probably add 2FA to your Epic Games account.

Activating 2FA for Fortnite is simple; just go to your account settings page, click on the PASSWORD & SECURITY tab, and under the TWO-FACTOR AUTHENTICATION heading choose either ENABLE AUTHENTICATOR APP or ENABLE EMAIL AUTHENTICATION. With the email authentication option, you’ll receive an email with a security code every time you log in to your account; the authenticator app makes use of common apps for this purpose listed on the site. As a signal of how keen Epic Games is on getting you signed up for 2FA, they offer a special Emote for Fortnite players who activate the feature.

Two-factor authentication vendors

If you’re looking to roll out 2FA or multi-factor authentication for your own corporate users, a number of vendors will be happy to help you.  Four of the most important and common are:

Good luck in moving your users beyond the password!