Two-Factor Authentication

two factor authentication

Two-factor authentication (usually abbreviated as 2FA) comes in different forms with some doing better than others.

Hopefully you have heard about two-factor authentication, its pros and cons. Requiring something beyond just a password to unlock your online accounts makes them harder to break into.

Tip: Keep in mind that two-factor authentication is different from two-step authentication.

Two-factor authentication is when you protect an account with two different types of authorization methods. A factor can be one of the following:

Something you know: This includes a piece of information, like a password or security question.

Something you have: For example your smartphone or another physical device

Something you are: A factor unique to your body such as a fingerprint or iris.

True two-factor authentication means you must unlock two checks from different factors before you can log in. If your account is protected by two locks of the same factor, this is called two-step authentication.

For example, a password and security question are both something you know, making this kind of authentication two-step but not two-factor. This still provides better protection than a password alone, but proper two-factor authentication is preferable. Two-factor authentication is a type of two-step authentication, but it’s not true the other way around.

Let’s look at these forms and their pros and cons:

1. Security Questions

You’re probably familiar with this method: when creating an account, you choose one or more security questions and set answers for each one. When logging into that account in the future, you have to provide the right answer to each question to validate your access.


They are easy to set up. You don’t need any equipment or devices; the answer is stored in your head.

Services usually provide a drop-down menu of questions, you just have to pick a few and give the answer.

Cons Many security question answers are easy to dig up. People can find information like your father’s middle name or where you grew up on social media. It’s also easy to accidentally divulge this sensitive info through social engineering, like phishing emails or phone calls. 2. SMS or Email Messages In this type of two-factor authentication, you provide your mobile phone number when creating an account. When you want to log in, the service sends you a text message via SMS (or email, alternatively). This has a temporary verification code that expires before long. You have to input the string to finish logging in. Pros SMS messages (and email) are convenient because nearly everyone has access to them. The messages arrive instantly, or at most in a few minutes. You can usually transfer your phone number to avoid getting permanently locked out in case you lose your device.


You have to trust the service enough to share your phone number, as some disreputable services may use your number for advertising purposes.

You can’t receive the text containing your login code if you don’t have cellular service.

SMS and email are not secure communication methods, though it isn’t easy, hackers can intercept SMS texts without ever touching your phone. 3. Time-Based One-Time Passwords (OTP) Here, you use an authenticator app, like Google Authenticator to scan a QR code that contains a secret key. This loads the secret key into the app and generates temporary passwords that change regularly. After entering your password, you’ll need to enter the code from your authenticator app to finish signing in.


You don’t need to have mobile service to access them once you’ve added the account to your authenticator app.

The secret key can’t get intercepted like SMS can since the secret key is stored on your device itself.

Certain authenticator apps, like Authy can sync your codes between multiple devices to avoid getting locked out.


If your phone runs out of battery, you won’t be able to access your codes.

Because the codes use the time to generate, there’s potential for clocks to desync between your device and the service, which results in invalid codes. This is why you should always print the backup codes that services provide as an emergency login method.

If a hacker somehow cloned your secret key, they could generate their own valid codes at will, although it is usually unlikely. If the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.

4. Push Notifications

Here, after you enter your password, you receive a push notification on your device with some information about the login attempt. Simply tap Approve or Decline to respond to the request.


They are much more convenient than opening your authenticator app and copying down a code.

They also contain information about who’s trying to log in, such as the device type, IP address, and general location. This alerts you to any malicious login attempts as they happen.

The push notification is tied to your phone, so there’s no risk of a hacker copying down your secret code or stealing an SMS. This method requires you to physically have your device with you to log in.


It requires your phone to be connected to the internet. Thus, if you don’t have a data connection and aren’t connected to Wi-Fi, you won’t get the login prompt.

There’s a risk of ignoring the information in the push and simply approving it without thinking. This could lead to you granting access to someone who shouldn’t have it. 5. Biometrics (Face, Voice or Fingerprint) Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance like the Government, online purchase systems. Pros Biometrics are extremely difficult to hack. Even a fingerprint, which is probably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but it’s pretty close. Cons A compromised biometric is compromised for life. You can’t change your fingerprint or face like you can a phone number. This is why biometrics are not ideal methods for two-factor authentication. Most people aren’t comfortable giving up their face, voice, or fingerprints to companies. The technology to use these factors properly would be too difficult to implement for everyday apps and services.

6. U2F Keys

Universal 2nd Factor (U2F) is an open standard that is used with USB devices, NFC devices, and smart cards. To authenticate, simply plug in a USB key, bump an NFC devise or swipe a smart card.


A U2F key is a true physical factor. As long as you keep them physically secure, they can’t be digitally intercepted or redirected.

U2F keys are phishing-proof because they only work once you’ve registered them with a site, unlike most two-factor authentication methods. This makes them one of the safest methods out there.


U2F is a relatively new technology, so it isn’t as widely supported as other choices.

Inconvenience due to differences in USB ports on devices. For example a U2F key with a USB-A connector, it won’t work on your Android device, iPhone, or newer MacBook without an adapter.

See Also: How to enable two-factor authentication on your social media accounts