- Products
- Renew
- Articles
- Support
- Free tools
- F‑Secure Text Message CheckerCheck with AI if a text message is a scam
- F‑Secure Online Shopping CheckerCheck for free if a website is safe to buy from
- F‑Secure Identity Theft CheckerCheck if your personal information has been part of a data breach
- F‑Secure Strong Password GeneratorCreate strong passwords for free
- F‑Secure IP CheckerCheck your IP address and location
- F‑Secure Online ScannerScan and clean your PC for free
- F‑Secure Router CheckerIs your internet connection safe?
- View all free tools
- Scam protection
- My F‑Secure
What is two-factor authentication (2FA)?
Two-factor authentication (2FA) is an extra layer of protection for your account. Enable 2FA and protect yourself from account takeover and identity theft. Learn why you should use two-factor authentication on all your accounts.
Logging in with two-factor authentication involves a second step to authenticate yourself. Instead of only inserting your username and password, you must also prove your identity in some other way. The second step in two-factor authentication can involve a code sent to your phone with a text message, a personal question only you can answer, your fingerprint, or a mobile app, for instance.
Two-factor authentication is sometimes also called two-step authentication, two-factor verification, or simply 2FA. The term MFA or multi-factor authentication is used to refer to methods of authentication that involve two steps or more. 2FA and MFA improve your online security by making it more difficult for hackers to access your accounts and steal private information.
How does two-factor user authentication work?
When logging into an account, the user’s identity is traditionally confirmed with a username and password. Using a strong password takes you a long way, but even a password does not protect you if it gets stolen. With tools and methods to hack or steal login credentials, a password and username are no longer enough to protect your personal data.
The username is often your email address and it is usually visible to everyone. Therefore, it is not difficult to guess or find out. And let’s face it, it is often much easier to use the same password for several accounts or choose a password that is simple and easy to remember. When the same password is used on more than one account, criminals can easily access many accounts at the same time. Consider using a password manager to help generate and store strong passwords.
The methods of two-factor authentication can be divided into three categories:
- Something you know. This can be a password, PIN code or an answer to a personal question, for instance.
- Something you have. In this case, you will need a physical object for identifying yourself, such as your phone or credit card. There are even physical security keys used for multi-factor authentication.
- Something you are. This method of multi-factor authentication is very secure as it involves some biometric pattern, such as the user’s face, fingerprint or voice.
In order to prevent their users’ accounts from getting hacked, many online services and websites have adopted two-factor authentication. However, in many cases, two-factor authentication is not on by default. Instead, it is up to the user to switch it on manually from the account settings. The way 2FA is turned on in each service and how the authentication works in practice depends on the service. For example, 2FA may be required only when logging in to a new device or every time the user tries to log in to their account.
Why should you use two-factor authentication?
For maximum protection, we recommend enabling two-factor authentication on as many user accounts as possible. Unfortunately, not all services offer two-factor authentication yet, so you will have to rely on using a strong and unique password for logging in.
The methods and tools used by online criminals and scammers are constantly getting more nuanced. Therefore you must ensure that no one but you can log into your accounts and access your valuable information. Although two-factor authentication may seem complicated, it is a simple way to improve your safety online. Here’s how 2FA can help you stay safe:
- Prevent account takeovers. If an online criminal manages to break into your account, they can steal personal information, such as credit card information, and use them to make purchases online.
- Prevent identity theft. In addition to account takeover, you may be at risk of becoming a victim of identity theft. The consequences can be serious and expensive if you do not act in time.
- Prevent fraud in your name. If online criminals get access to your account on, for example, social media, they can use it to spread false messages in your name. For example, the fraudster can take over your Instagram account and try to sell bitcoins to your followers. That is why 2FA not only protects you and your reputation, it stops others from being scammed as well.
- Take care of your accounts. By enabling two-step authentication, you are forced to think more carefully about your online security. Many people use the same one or two passwords on multiple accounts because it is easier and more convenient than having to remember multiple strong passwords. Two-factor authentication is an effective way to raise awareness of online privacy and cyber security.
Multi-factor authentication methods
Based on the three categories, there are many methods used in multi-factor authentication.
- Personal question. You can set up a security question that only you can answer. Just make sure that the question and answer are not too obvious and easy to guess.
- One-time confirmation number. Every time you log in you receive a PIN code as a text message to confirm your identity.
- Face ID. The device must read your face to make sure it is you logging in.
- Fingerprint. Since everyone’s fingerprints are different, you scan your finger to identify yourself. Modern smartphones support this login method as well and can read your fingerprint through the mobile device’s touch screen.
- Voice recognition. To gain access to your account, the device has to recognize your voice first. Voice recognition can in some cases be tricked with pre-recorded samples of the real user’s voice.
- QR code. To log in, you must scan a QR code with an app.
- Authentication app. For example, many banks use a separate authentication app to log in. After inserting your login credentials, the service sends an authentication request to an app on your mobile device.
- Security key or token. Physical security keys, such as USB, NFE or Bluetooth devices, confirm your identity. You carry these with you, so they are secure as long as no one steals them.
How hackers can bypass two-factor authentication
Although 2FA improves the protection of accounts online and makes hacking into your accounts more difficult, there are still ways for online criminals to bypass two-factor authentication.
Social engineering
In social engineering, online criminals exploit one of the weakest links in people’s cyber security: the victims themselves. Manipulation of users to steal their sensitive information and gain access to their accounts is known as social engineering. One common method of social engineering is phishing. It involves messages and emails to trick people into giving away confidential information or infecting the victim’s device with malware.
To bypass two-factor authentication, an online criminal could impersonate a trusted authority and make up an excuse for why the victim should give away their security code. In case the attacker has already obtained the victim’s username and password, they are able to break into the account using the 2FA code.
Brute force
In cyber security, brute force attacks refer to repeated attempts to log in to an account. This is done most often with some kind of software that tries to guess an account’s password. In case there is no limit to how many times an attacker can input an incorrect password, sooner or later they will crack the code, in case the password is not secure enough. The longer and more complex the password, the longer it takes to break it with brute force.
The same applies to 2FA codes. Especially if the code is short, only four to six numbers, the code can be cracked using this method. To prevent this, the code might be active for only a short time or the authentication is limited by only a few failed attempts.
Reused tokens
Many methods of user authentication generate a token used for authentication on the spot. However, in some cases, there can be a list of tokens generated in advance. The hacker needs to know which token to use and they can bypass two-factor authentication. However, the hacker needs to first get the victim’s username and password as well.
Malware
Online criminals can use malware to bypass two-factor authentication and access the victim’s online banking account, for instance. Some advanced Android Banking Trojans are capable of impersonating legitimate banking apps and trick the victim into authenticating the criminal’s access themselves. In addition to online banking, similar malware causes harm in many cryptocurrency services.
Changing the victim’s privacy settings
The security code or token used for 2FA is often sent to the user’s phone with a text message. However, online criminals can exploit this method of authentication if they are able to change the user’s security settings. Hackers can change the phone number to which the security code is sent. Instead of the account’s real owner receiving the security code needed for authentication, the code is sent to the criminals who can then use it to access the victim’s account.
Keep your accounts safe with F‑Secure Total
Account takeover is unfortunately only one of many online threats. That is why you need an advanced cyber security solution to protect you from malware, hacking and other dangers online. F‑Secure Total not only comes with the tools to manage your passwords and warn you if your identity is at risk. It also offers an antivirus program to fend off viruses as well as a VPN to protect your privacy online. Try F‑Secure Total for free and stay safe on the internet.