Quick Links

Over the past few years, you may have heard a number of companies, app makers and service providers announce that they're launching two-factor verification (2FA), two-step authentication (2SA) or multi-factor authentication (MFA).

If you ever wondered what the heck it even is, or whether it's worth using, we'll attempt to answer your questions in this feature.

What is two-factor authentication?

Breaking it down to the most simple explanation, it's basically adding a second layer of protection to your account, app or service to go alongside your regular method of logging in.

In most instances, this involves receiving a code by SMS to your mobile number or from an app like Google Authenticator.

In some cases, you might just get a notification on your phone from a specific app (for example via Google or Facebook) that lets you just tap to approve a login.

How does two-factor authentication make your account more secure?

The idea is that you're adding a confirmatory step to your sign-in attempt. Using the SMS example, it means no one can log into the account from a new device - even if they have your password - because the verification would be sent to your phone number.

When someone tries to log into your account when they hit "submit" it'll take them to a screen asking for a code. This code has been sent to the registered mobile number as an SMS.

Does two-step authentication always need a mobile number?

Not always - there are a range of implementations for 2FA.

As an example, WhatsApp can't use your mobile number as its second verification method, because that's the primary method for logging in. So instead, it asks you for a six-digit PIN number every so often, or when you log in from a new smartphone.

While Apple does use SMS verification for iCloud account security, it also uses its "Trusted Devices" method. Using this method, it sends a code directly to a trusted and verified device, which then pops up in a little window on the screen. Google has a similar system where it can ask you to confirm sign-in from another device on that account.

Where SMS isn't used there's often the option of getting a two-factor authentication code from a dedicated app like Google Authenticator. These sorts of apps simply offer access to a time-sensitive code that changes after a given period of time and so is constantly secure but gives you quick and easy access to your account.

There are even some services that ask you to use a security key. This means there's a physical security device to unlock accounts, usually featuring a USB connection so you can plug it into a device to authenticate - some use fingerprints and some offer NFC. The advantage of a physical key is that it can't be hacked - the downside is it can be lost or stolen.

What if I've lost my phone?

Most services offer more than just the phone number SMS method for logging in. Nearly all of them will offer you the ability to generate backup codes or, like Apple, give you a recovery key that's a really long chain of letters and numbers which you can input instead of using your password and SMS code.

In many cases when you land on the verification page you'll have the option to select another method from that app's default. That will often mean that you can use something else if it's simpler.

Is 2FA worth it?

Yes. Absolutely. Once it's set up it only adds one extra step to logging into your account from a new device or browser.

It's always worth doing and failing to do so can often lead you open to privacy nightmares. An article by the Washington Post revealed just how dangerous this can be. There have been several reports of incidents where owners of smart home cameras have had their devices hacked and been spied upon by criminals simply because they failed to use a secure password and activate two-factor authentication.

On the off-chance that someone has got your password, and tries to get into your account, you'll have the peace of mind of knowing that they can't get in without also having your phone which - even if they have - is likely locked and protected behind a password, pattern or fingerprint.

To add further privacy, there are settings within Android and iOS to ensure that you can stop SMS notifications from showing up on a lock screen. Just head to Settings > Notifications and select which apps you want to display information on the lock screen, or choose to hide sensitive information (on Android).

How to move Google Authenticator to a new phone

If you've set up Google Authenticator on your phone and have multiple accounts connected to it from different sites and apps you may be worried about moving to a new device.

If you buy a new phone whether an Android or iPhone it's now possible to move an entire Google Authenticator account to the new device in one go without having to move each account individually. Which is awesome.

To do this, open the Google Authenticator app on your old device and click on the menu button then "transfer accounts" from there, then select "Export accounts", select all the accounts you want to export, then click next. That will then generate a QR code (or two) that can be scanned.

Keep that running, then open up the app on your brand-new phone. Click the same menu button and "transfer accounts", then select "Import accounts", you'll then have the option to scan the QR code on the original phone and simply import the entire list of accounts in one easy action. Hassle-free security on your new device. Just don't forget to wipe your old phone if you're not using it anymore as the accounts will still be on there as well.

How do I activate two-factor verification?

For most accounts that you have, you'll normally find the two-factor verification option in your account security settings. This usually just means finding your settings options, which is normally straightforward. Most services you log in to will have an option, but here are a few of the more popular services:

How to enable Apple two-step verification

For your Apple ID or iCloud account you head to appleid.apple.com, then log into your account and look for the two-step verification in the Security section, and choose to turn it on.

You'll then go through a setup process that's really simple to follow. Also, be sure to create a recovery key and then make a note of that somewhere safe, where you know you'll never lose it.

How to enable Google 2-step verification

For your Gmail/Google account, log into any Google service, or just go to Google.com and click on your profile image in the top right corner, then select "My Account". Click the "signing in to Google" option under the Sign-in and Security tab. Look for the 2-Step Verification option and choose to activate it.

Here you can add your phone number, choose to get a Google Prompt on your phone, set up some backup codes that you can print off, or download and install the Authenticator app on your Android phone or iPhone.

How to enable Twitter login verification

Log in to Twitter on desktop and click the small image thumbnail in the toolbar, then select "Settings and privacy" in the drop-down menu. Tick the "Verify login requests" box in the security options, and follow the steps to activate 2FA. Note that SMS verification with Twitter is now only available to Twitter Blue subscribers.

How to enable Facebook two-factor authentication

In Facebook on the desktop site, click the little globe icon in the toolbar, then go to Settings > Security and login, then choose the "Use two-factor authentication".

You can add your mobile number for text message codes, add security keys to log in by USB or NFC, or generate codes in the Facebook mobile app. You can also generate specific app passwords to use once for apps that don't support Facebook's two-factor authentication.