Two-factor authentication 2FA: How it works and how to enable it

As a result, you’ll be able to set up a 2FA security process for your Instagram account online by following the exact same process we’ve outlined above for your Facebook account. When you get to the step that requires you to click on the account that you want to add two-factor authentication to, just pick your Instagram account. The maker of one of our favorite password managers, Bitwarden, released a 2FA app that you can use without a Bitwarden account. We don’t recommend that people store their 2FA codes in a password manager, so we appreciate that Bitwarden introduced a separate app. The app has a clean design and we found it easy to use, but it doesn’t let you set a password to secure your backups the way Duo does. Authy, like Duo Mobile, is a corporate app that offers a free and very capable 2FA app for consumers.

Duo Mobile walks you through a quick tutorial the first time you add a new site. We especially liked that it explicitly instructs you to enter the generated code back into the site you’re enrolling—a step that’s easy to miss, especially if you’re new to 2FA authenticator apps. Unlike security keys, authenticator apps are free, supported by many sites, and work with the smartphone you already have. Unlike SMS codes, authenticator apps work without a data connection, and they generate codes on your phone, so the codes can’t be intercepted. This method is very similar to the SMS method above but common implementations include having the user enter a 5-10 alpha-numeric token or clicking a link provided in the email. With support for a large array of authentication methods, logging in via push notification is fast and easy with Duo Mobile.

Stay up to date with the latest trends and news about identity and access management. Learn about the access management products and services market and find the best product for your organization. You’ll learn all about zero-trust network access (ZTNA) technology and the strategy for securing users’ remote access. Once it has been set up, your 2FA process will involve occasionally being prompted to copy a code or click through a link sent to the secondary identification source. Wirecutter is the product recommendation service from The New York Times. Our journalists combine independent research with (occasionally) over-the-top testing so you can make quick and confident buying decisions.

Authenticator apps—such as Google Authenticator, Authy, Microsoft Authenticator and Duo—can generate tokens without a network connection. A user pairs the authenticator app with a service, often by scanning a QR code. The app then continuously generates time-based one-time passwords (TOTPs) for the paired service. Multi-factor authentication is a security process that enables the use of multiple factors of authentication to confirm a user is who they say they are.

Passwords have remained the most common form of SFA on laptops and other devices because of their low cost, ease of implementation and familiarity. The most popular email services, cloud-storage services, and social networks all support an app as a second factor of authentication. You can find a list of many websites that support two-factor authentication here. Major platforms also support 2FA, including Apple, Google, and Microsoft.

Hardware token devices are generally expensive for organizations to distribute. Furthermore, they are easily lost by users and can themselves be cracked by hackers, making them an insecure authentication option. For instance, a shared secret and a password belong to the knowledge authentication factor type. A push notification is passwordless authentication that verifies a user by sending a notification directly to a secure app on the user’s device, alerting the user that an authentication attempt is happening. The user can view details of the authentication attempt and either approve or deny access, typically with a single tap. If the user approves the authentication request, the server receives that request and logs the user in to the web app.

Once 2FA is up and running on your Apple account, you can add additional trusted devices. These are special codes that let you log in even when you can’t use your second factor. Typically the site generates these for you, and you write them down in a secure location for use only in emergencies. Backup codes are useful only if you’ve saved them before getting locked https://aliexpressofficial.com/ out, so make sure you’re prepared.

In other words, you need to know how to turn on two-factor authentication for iPhone. To bolster your security, open up the Settings page within your account and follow these steps. 2FAS is one of the best-looking apps we tested, and we especially liked how clear its onboarding process was. It also offers backups, and it can sync codes between your phone and a browser extension—although we’re not sure that eliminating the friction of typing in 2FA codes is necessarily a good thing.

That user might need to add a second factor to log in from a new device or an unknown network. The two most common types of possession factors are software tokens and hardware tokens. When a user enters their login credentials, they will receive a call to their mobile device that tells them the 2FA code they need to enter. This factor is used less frequently but is deployed by organizations in countries that have low smartphone usage levels. Two-factor authentication is a subset of multi-factor authentication (MFA).

What types of two-factor authentication (2FA) are there?

For example, it is easy for a user to accidentally confirm an authentication request that has been fraudulently requested by quickly tapping the approve button when the push notification appears. Security can be enhanced with challenge-response questions or adaptive MFA, which adds a contextual layer to the process. It evaluates user behavior and characteristics, such as frequency and timing of access attempts for identity verification.

Skip a second step on trusted devices

Instead of a single authentication factor, MFA uses two or more factors to make sure it’s really you accessing the account and not an unauthorized third party. While SMS text-based OTPs are some of the most user-friendly possession factors, they are also the least secure. Users need an internet or cellular connection to receive these authentication codes, and hackers can use sophisticated phishing or man-in-the-middle attacks to steal them. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords.

• However, two factors from the same category don’t constitute two-factor authentication.
• Software tokens can be sent to a user’s phone by text message, email or voice message.
• If an attacker compromises the device, the push notifications are also compromised.
• His interests include cybersecurity, programming tools and techniques, internet and open source culture, and what causes tech projects to fail.
• Select the Security tab, then on the next page you’ll see an option to select Two-Factor authentication in the top right corner.
• This shortcoming was brought to light shortly after the backup feature launched, in 2023, and it was later confirmed by the company.

For example, for iPhone users, two-factor authentication is tied directly to their Apple ID. When you try to sign in on a new device, a verification code is automatically sent to your other trusted Apple devices, like your iPhone or Mac, creating a secure link between your identity and your hardware. While two-factor authentication is stronger than single-factor authentication methods—especially those that use only passwords—2FA is not foolproof. Specifically, hackers can abuse account recovery systems to sidestep 2FA and seize an account. Passwordless two-factor authentication systems accept only possession, inherent and behavioral factors—no knowledge factors.

This is convenient, but security experts we’ve spoken with caution against this practice. Although it’s unlikely to happen, if an attacker were to break into your password manager, they would have access both to your passwords and to your 2FA codes. If using a password manager for 2FA is the only way two-factor can work for you, be aware of the risks, and make sure to use a strong password and enable 2FA for your password manager. Microsoft Authenticator is from a trusted name, includes backups if you log in with your Microsoft account (although you can use it without an account), and offers clear and friendly instructions to new users. But like most corporate 2FA apps, it’s a little too focused on securing Microsoft accounts.

Passkeys are still very new, so even if you want to try them out, you’ll still need 2FA apps for all of the sites that don’t yet support passkeys. We also saw several apps with ludicrous fees, some of them even charging users to generate codes for specific sites. When you search for a 2FA app, make sure that you download the correct one. If you decide to do your own research, we strongly suggest that you avoid any 2FA app with in-app purchases in its app store listing.

Authenticator apps replace the need to obtain a verification code using text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password as their knowledge factor. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. By entering the correct number, users complete the verification process and prove possession of the correct device, which is their possession factor. A second layer of protection can be the difference between digital assets that are secure and those that attackers will happily (and quickly) compromise.

If you want to move, rename, or delete an entry, just tap the three-button menu. Please logout and then login again, you will then be prompted to enter your display name. First, download the Microsoft Authenticator app, which is available for iOS and Android, and log in. Select the Security tab, then on the next page you’ll see an option to select Two-Factor authentication in the top right corner. You can define rules such as when accessing mission-critical applications from outside of your company’s intranet, when accessing from a different device or from a new location.

Increased Security & Peace of Mind

These services use authenticator apps or SMS passcodes to verify it’s really you. Authenticator applications replace the need to obtain a verification code via text, voice call, or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password—a knowledge factor. By entering the correct number, users complete the verification process and prove possession of the correct device—an ownership factor. At its core, 2FA is a security process where a user must provide two different authentication factors to verify their identity.

Learn fast from expert tutorials and explainers—delivered directly to your inbox. Learn how 2FA works & helps organizations with another layer of security to businesses’ defenses. Learn about the different authentication types available, including 2FA, biometrics and certificates. Here’s how to fix that for your biggest accounts, from Gmail to Facebook and more. I write about how to get the most out of your phones and computers, whether that means keeping your photos neatly sorted or protecting yourself from scams and surveillance.

If you haven’t seen your data exposed in a major data breach within the last five years alone, you haven’t been paying attention. 26 billion records were exposed in a single dataset in 2024, in just one example. The LastPass Authenticator is well designed, and it provided one of the best onboarding experiences we saw. However, it required that we create a LastPass account and also install the LastPass app in order to use its backup feature. We still have concerns about LastPass’s future after several recent security issues. We recommend that you always double-check that the site URL is correct before you log in.