How Does Two Factor Authentication (2FA) Work?

What Is Two-Factor Authentication? How Does It Stop Fraud?

When scammers took over Kai Chin’s phone number, they didn’t use it to make scam calls — instead they stole $65,000 from the California man’s Citibank account. Without two-factor authentication in place, scammers were able to gain unauthorized access to six other Citibank customers’ accounts in addition to Kai’s — stealing over $600,000 [*].  

In 2024, scammers increasingly target online accounts — even more than Social Security numbers (SSN). 

Unfortunately, passwords no longer provide enough protection to keep your accounts safe. In the past year alone, billions of passwords have been leaked in data breaches from companies such as PayPal, LifeLock, and LastPass. 

If scammers have your passwords, your accounts (and money) could be at risk. Yet, according to the latest research from Duo [*]:

“Only 67% of Americans use two-factor authentication to protect their accounts.”

Two-factor authentication (2FA) is one of the best methods to secure your online, financial, and sensitive accounts — but it’s not foolproof.

In this guide, we’ll explain how 2FA works, the different types of 2FA that you can use, and which ones will keep your accounts the safest.

{{show-toc}}

How Does 2FA Work?

Two-factor authentication (2FA) — or two-step verification — is a security system that requires users to provide two distinct forms of identification to access accounts, resources, and data. 

Along with your username and password, 2FA requires a second authentication factor, such as:

• Knowledge factors. These are specific details that you know — for example, a one-time password (OTP), a personal identification number (PIN), or the answer to a security question.
• Possession factors. These are items that you have — for example, a smartphone, security key, or security token.
• Inherence factors. These represent who you are — for example, biometric security, such as fingerprints or facial recognition.

When you have 2FA enabled, it safeguards your account information against hackers. Even if someone discovers your passwords after a data breach, it's unlikely they will also have access to your second factor.

How To Enable Two-Factor Authentication on Your Accounts

In 2024, most apps and online services offer 2FA — but it’s usually not enabled by default. 

While the process will be slightly different for each account and service (social media, email, etc.), you’ll most likely find 2FA under your account security settings. 

For example, here’s how to set up 2FA on a Gmail account:

1. Open Gmail in your browser.
2. Select your profile picture or initials in the top-right corner, then select “Manage your Google account” to open your Account page. 
3. Open the “Security” tab, then scroll down to the “Signing in to Google” section.
4. Select "2-Step Verification," then "Get Started."
5. Enter your Google password to get permission to make the changes. After gaining access, follow the prompts and review the options to set up 2FA on your chosen device.
6. Select “Continue.”
7. At this point, you should also back up your account with another phone number; or hit “Use another backup option” to get a set of 2FA backup codes.
8. Select "Next" and "Turn On" to finish the 2FA setup process.
9. Now, when you log in to your Gmail account, you’ll be prompted to enter a 2FA code that’s sent to your mobile device (or other authentication tool).

You can check the 2FA directory to find out which services offer 2FA. The process for many popular platforms — like Facebook, Twitter, or Reddit — is similar to email. 

🎯 Related: I Think My Gmail Was Hacked! How To Secure Your Email →

Which Type of 2FA Is Most Secure?

1. 2FA codes via SMS or phone calls
2. Authenticator apps that provide time-based OTPs
3. Push notification 2FA codes
4. Hardware devices that give 2FA codes
5. Biometric 2FA

Most people are familiar with 2FA codes that are sent to their smartphones. But this isn’t the only — or the most secure — option. 

Here’s a rundown of five different 2FA methods, their pros and cons, and any security issues that you should be aware of. 

1. 2FA codes via SMS or phone calls

SMS-based two-factor authentication relies on a one-time password delivered to the user via text message.

How it works:

• You add your cell phone number to your online account.
• When you log in with your username and password, you receive an SMS with a one-time password (OTP).
• You must enter the OTP into the login form to prove your identity and gain access to your account.

2. Authenticator apps that provide time-based OTPs

Authenticator apps work much like the text-based 2FA method, but you get the authentication code in the app instead of via SMS. 

How it works:

• Download an authenticator app like Authy or Google authenticator. You’ll need to edit your 2FA settings on your accounts to connect to the authenticator app.
• When you try to access your online accounts, you’ll be required to open the authenticator app on your smartphone, which shows a unique verification code that changes about every 30 seconds.
• Enter the code to gain access to your account.

3. Push notification 2FA codes

Push authentication is a mobile-centric form of identity verification in which the service provider sends the user a notification directly to a secure application on the user’s device.

How it works:

• When you enter your login credentials on a computer, the system sends a push notification to the smartphone connected to the account.
• When you receive the push authentication request on your smartphone, you can tap to approve or deny the request. Or, you may receive a special code sent directly to your phone or to another secure app.
• The web server receives the approval and grants access to the user on the computer.

4. Hardware devices that give 2FA codes

A hardware authentication token, like a USB security key, is a possession factor that has a built-in private cryptography key that you can use to authenticate your online account.  

How it works:

• You visit a web service on your device and begin the login process.
• The service prompts you to authenticate your account with your hardware token.
• You must connect your physical authentication token or key fob via USB, NFC, Bluetooth, etc.
• Next, you'll need to press a button, enter a PIN code, or scan a fingerprint.
• If the authorization gesture is valid, the token authorizes the user and grants access to the account.

🎯 Related: Can Bluetooth Be Hacked? Bluetooth Security Tips for 2024 →

5. Biometric 2FA (fingerprints, facial recognition, etc.)

Biometric authentication methods verify identity and manage access through unique biological characteristics. This may include physical attributes (fingerprint or facial features), or behavioral characteristics (speech patterns or typing rhythms).

How it works:

• After entering your password, you'll be prompted to enter your biometric information. This could mean pressing your fingerprint on a sensor or looking into a camera for a retina scan.
• The system compares your "sample" with what you used when setting up the biometric 2FA.
• Once your identity is verified, you will gain access to the account or application.

If You Use Strong Passwords, Do You Need 2FA?

The bottom line is: 2FA is one of the only ways to ensure that your sensitive accounts are safe.

The average American has 240 online accounts. This makes it nearly impossible to use (and remember) complex, long, and unique passwords for every account [*].

To make matters worse, hackers have sophisticated techniques for discovering your login credentials.

In 2022, there were 1,862 publicly disclosed data breaches impacting over 422 million Americans — the largest number reported in a single year [*].

With 62% of people reusing passwords (or close variations), even a single data breach could put your accounts at risk [*].

Two-factor authentication neutralizes the risks associated with compromised passwords.

Even if your password is leaked or stolen, 2FA provides an additional layer of security. Scammers can target you with phishing, social engineering scams, or malware — but 2FA will keep your accounts secure (as long as you don't give away your 2FA codes).

2FA vs. Multi-Factor Authentication (MFA)

Two-factor authentication requires exactly two authentication factors to access an account. By comparison, multi-factor authentication (MFA) requires two or more authentication factors.

As such, all 2FA methods are types of MFA — but not all MFA methods are types of 2FA.

In theory, MFA should be more secure, as it requires additional pieces of evidence before granting a user access. However, many users seek to accelerate the login process by using simpler passwords. Ironically, this can make MFA weaker than 2FA.

As a general rule of thumb, 2FA is good for accounts that you regularly access, like your email or banking accounts. Choose MFA for high-value accounts that you rarely access, such as your Social Security account or medical records.

🎯 Related: How To Protect Yourself Against Tax Identity Theft (2024) →

How To Keep Your Online Accounts Secure (Beyond 2FA)

Unfortunately, not every account or service provider offers 2FA. If you use any service that doesn’t give you this option, you need to think carefully about how you secure your sensitive information. 

Here are 10 actionable ways that you can go beyond 2FA to secure your accounts:

• Use long and unique passwords for each account. Avoid reusing passwords or close variations on sensitive accounts. Instead, keep each account secure with a unique and complex password.
• Store your passwords in a password manager. Avoid saving passwords in your browser, as this exposes you to phishing attacks. A dedicated password manager keeps your passwords in an encrypted vault. This way, you can use complex and unique passwords without worrying about remembering them all.
• Keep your software and operating system up to date. The latest updates contain security patches to defend against malware and emerging cyberattacks. Don’t ignore them.
• Watch out for red flags indicating that you’ve been hacked. If your passwords suddenly don't work or you get emails or texts about unrecognized login attempts, your accounts might be at risk. Familiarize yourself with the warning signs of a hack to keep your devices and accounts safe.
• Don’t click on suspicious links or download unknown attachments. Phishing attacks only work if you click on malicious links or engage with scammers via bogus websites or phone numbers. If you receive unsolicited communications, always contact the company directly through its official website. 
• Protect your devices and network with antivirus software. Scan your device to detect any existing vulnerabilities or new cybersecurity threats.
• Use a virtual private network (VPN). Activating a VPN hides your internet protocol (IP) address, data, and location. This makes it extremely difficult for hackers to spy on your browsing activity and data.
• Disable ad tracking. Companies collect personal data for marketing purposes. But if hackers steal this data, it can expose you to identity theft. Disable trackers by declining cookies, or use Safe Browsing tools to block ads and trackers automatically.
• Set stricter privacy settings. The default settings of most applications help companies gather your data — as opposed to keeping it private. Review your privacy settings to ensure that you aren't publicly disclosing confidential information.
• Use Aura’s free Dark Web scanner to check for exposed data. Aura scans the Dark Web for your personal information, including your passwords. Aura’s scanner will alert you if suspicious activity is detected, so you can make changes to any compromised account before it's too late.

🎯 Related: Citibank Customer? Watch Out For These 8 Scams →

The Bottom Line: Passwords Aren’t Enough

It doesn’t matter if you use iOS or Android devices — passwords are no longer good enough on their own. Using two-factor authentication on your mobile phone and computer makes it much harder for hackers and scammers to target you.

For a higher level of security, consider an all-in-one digital security solution.

With Aura, you get:

• Award-winning identity theft protection that monitors your Social Security number (SSN), financial accounts, and more for signs of fraud.
• Antivirus software to scan your devices for existing vulnerabilities and isolate new threats. 
• VPN and malware protection to keep all of your devices safe from hackers and malware by using military-grade encryption and Wi-Fi protection.
• 24/7 three-bureau credit monitoring with rapid fraud alerts that are up to 4x faster than other digital security providers.
• Dark Web monitoring to scan the internet and alert you if any of your personal information is circulating on the Dark Web.
• $1,000,000 insurance policy to cover eligible losses due to identity theft, such as stolen money, credit cards, and passports.
• White Glove Fraud Resolution Specialists that provide U.S.-based 24/7 support to help you navigate challenges with banks, creditors, and government agencies.

Stay safe from hackers and scammers. Try Aura free for 14 days →