AVG Signal Blog Privacy Passwords What Is Two-Factor Authentication (2FA)?

How does 2FA work?

Two-factor authentication works by adding an extra layer of security to your account — an additional login step — to prevent someone from logging in even if they have access to your password.

When you sign into any of your online accounts, the basic level of authentication requires only your password to log in — that’s one step to verify your identity. 2FA adds a second piece of info (or a second layer) that you need to provide before you can get access to your account.

This article contains:

    How 2FA works in detail

    As mentioned, 2FA works by verifying a second piece of information in addition to your password. The type of info used for the second piece of verification depends on the online service you’re using. For example, to use 2FA on your Gmail account, you have a few choices:

    • A physical security key: This functions like a lock, but you have to purchase a box of keys starting at $25.

    • The Google Authenticator app: You install the app on your phone, and then when you sign into your email you get a prompt on your phone that you tap to verify it’s really you trying to sign in.

    • Verification code: This option sends you a one-time numeric code, either by SMS or voice call, that you insert to verify your identity.

    So here’s how 2FA works when you want to access your account: you type in your username and password and click submit. The online service then sends an automated request for your second piece of info — an SMS with a verification code, a Google authenticator prompt, or something else that you’ve set. Only once you confirm your identity via this second piece of information will you get access to your online account.

    Two-factor authentication adds an extra layer of security to your accountTwo-factor authentication adds an extra layer of security to your account.

    A hacker trying to break into your account — even a hacker who has your password — would be locked out without having that second piece of information.

    Two-factor authentication, explained

    For a more detailed definition of 2FA and to learn how you can use it to protect your digital identity, check out our own Michael McKinnon explaining two factor authentication, password protection, and why it's important for your online security.

    The three basic authentication factors

    The additional layer of authentication is generally one of three basic factors: something you know, something you have, or something you are. Here’s the type of information that fits into these three authentication categories:

    • Something you know: This could be a PIN code, the answers to your security questions, and, of course, your password.

    • Something you have: This generally refers to a physical object, such as a security token (a small hardware device) or an ID card. It can also refer to your phone, which you can verify possession of using a special app like Google Authenticator or an SMS code.

    • Something you are: This refers to biometric data, and usually comes in the form of your fingerprint or facial scan — such as with Apple’s Touch ID or Face ID — or a retina eye scanner.

    A classic example of 2FA in everyday life happens when we use an ATM: Withdrawing money from an ATM requires something you have (your bank card) together with something you know (your PIN). But when you sign into an online account with your username and password, even though you’re providing two pieces of information, those two items don’t satisfy the criteria for 2FA, because both are something you know. Thankfully, most email accounts let you add an additional layer. We’ll get into that in a bit.

    Before 2FA: why passwords aren't enough

    You may be wondering: Why should I use 2FA? Isn’t a password good enough to protect my online accounts? First of all, is your password strong enough? Hackers can use brute force attacks or “password spraying” (trying out a list of the most common passwords) to easily crack weak passwords. So you should avoid using anything too obvious, like words found in the dictionary. 

    Even if you do have a highly complex password, there are still several ways crafty hackers can figure it out:

    • Data breaches: When a large organization is breached, millions of people’s usernames and passwords (and other sensitive data) can wind up for sale on the dark web. Cybercriminals can buy lists of these usernames and passwords and attempt credential recycling, where they try to use these credentials all around the web to see what accounts they can access. That’s why you should never reuse passwords for multiple accounts.

    • Spyware: This insidious type of malicious software can spy on you. Specifically, keylogging software can discreetly record everything you type — including your usernames and passwords — and send it back to the hackers who secretly installed the malware on your device.

    • Phishing: Phishing is a type of social engineering scam in which cybercriminals impersonate a business or trusted contact in order to trick you into revealing personal information. In this case, it could be a fake email asking you to confirm your username and password for an online service you use — but typing it in sends your info straight to the scammer.

    If your password is exposed and winds up with a hacker, but you use 2FA, they still can’t breach your account. That’s what makes 2FA such a powerful security measure.

    How to set up two-factor authentication

    To set up two-factor authentication, you first need to make sure that the online service you’d like to use it for — like your email, bank, and social media apps — offers it (most will). Check out this link for detailed instructions on setting up 2FA on your Gmail account.

    To use a concrete example here, we’ll walk you through setting up 2FA on your Facebook account.

    1. Open up your Facebook account.

    2. Click the triangle in the upper-right corner and select Settings.Opening up Settings in Facebook on desktop.

    3. Select Security and Login on the left menu, and then look for Use two-factor authentication. Click Edit.

      Accessing security and login settings in the Facebook app on desktop.

    4. Facebook will give you two options for 2FA: using an authentication app or SMS. Choose your preference.

      Selecting the two-factor authentication settings in the Facebook app on desktop.

    5. If you want to use Google Authenticator and you don’t yet have it, now’s the time to head over to the Google Play store or Apple’s App Store and download it.

    6. Open up Google Authenticator on your phone and scan the QR code on the screen.


    7. On your phone, you’ll see and confirm that you’re adding 2FA to your Facebook account. Click Continue on your computer screen.

    8. Facebook will ask that you enter a code from Google Authenticator. This code changes every few seconds so only you have access to it. Enter the six-digit number and click Continue.

      Entering in the confirmation number to confirm setup of 2FA.

    9. Facebook will confirm that 2FA is on. That’s it!

      Confirmation of 2FA setup on Facebook.

    You should enable 2FA on every account possible — especially your online banking and other sensitive accounts.

    But is 2FA secure or can it be hacked?

    While 2FA is much safer than a password alone, it’s not 100% foolproof — unfortunately, nothing online is. But most hackers don’t target specific people. Instead, they target easy victims with weak security. And if one person proves hard to crack, they’ll usually move on to someone easier. For that reason, 2FA keeps you safe in almost all cases.

    But if a hacker is targeting you specifically, and has a lot of time and resources available, they might be able to find a way to break in. How? Well, a hacker might be able to install malware on your system that copies over the code from Google Authenticator. But that would still give the hacker only seconds to intercept the code and enter it in before you yourself gained access.

    Alternatively, a crafty cybercriminal might pursue a social engineering hack that involves convincing a mobile operator to transfer your phone number over to them. Then, when an SMS code is sent as your second piece of verification information, it actually goes to them instead of you.

    Most hackers don’t target specific people. Instead, they target easy victims with weak security. And if one person proves hard to crack, they’ll usually move on to someone easier.

    Yet another way a hacker could get around 2FA would be to send you a phishing email saying that you’re about to get an SMS code. At the same time, the hacker tries to access your account, triggering a real request for an SMS code. When you accidentally send the real code to the criminal, they can then use it to crack your 2FA and access your account.

    You’ll notice that the three scenarios described here each require an extreme amount of effort, impeccable timing, and a unique interest in scamming you personally. But most hackers don’t care whom they scam, as long as they can make as much money as possible. In fact, most cybercriminals try to maximize profits while avoiding detection, and spending a lot of time and effort on one individual doesn’t make much sense.

    Of course, if you’re a celebrity or a billionaire, you should definitely consider investing in even more secure protocols. But for the average person, 2FA provides a robust level of security.

    As mentioned above, when hackers do get their hands on your personal information — like passwords, social security numbers, or bank details — they often put them up for sale on the dark web. If you’ve been using the internet without 2FA, it’s a smart idea to do a dark web scan to determine if any of your current or past info has leaked.

    But monitoring the dark web continuously is a fool’s errand. Thankfully, a privacy monitoring service like AVG BreachGuard can do it for you. Enjoy 24/7 dark web monitoring, data leak notifications, and tips and advice on how to shore up your privacy and security protections.

    So, what's multi-factor authentication (MFA)?

    Two-factor authentication is a subset of multi-factor authentication (MFA). MFA can refer to using two authentication factors, or three. So every time you use 2FA, you’re also using MFA. 

    Facilities that require strict security, such as government facilities with highly classified information, offer some examples of using multi-factor authentication that goes beyond 2FA. These buildings may require a PIN code (something you know), an ID badge (something you have) and a fingerprint scan (something you are) in order to grant access.

    Some tech companies, banks, or other highly secure enterprises may also require three-pronged authentication to access online accounts. But most average users will find 2FA sufficient for securing their personal accounts.

    Have your logins already leaked?

    Adding 2FA to all your online accounts is one of the most important steps you can take right now to dramatically improve your online security. But what about all the years you’ve been using the internet and accessing your personal accounts without 2FA? If your passwords have already been exposed, you may not know about it. So what can you do? You can enlist a privacy monitoring service to see if any of your sensitive personal data has leaked.

    AVG BreachGuard will help protect your private data with privacy risk monitoring, including 24/7 dark web monitoring. If your personal information is ever exposed, AVG will let you know immediately, and help you take appropriate action. 

    Plus, you’ll get a security audit that will assess your current security protocols and offer suggestions on how to improve your passwords and tweak your settings for tighter security. In the fight against hackers, AVG BreachGuard is a crucial weapon to add to your arsenal. Start protecting your sensitive personal data today.

    Connect privately on your Android with AVG Secure VPN

    Free trial

    Connect privately on your iPhone with AVG Secure VPN

    Free trial
    Nica Latto