Loading...

Threats

Two-Factor Authentication: protect your accounts

Learn what two-factor authentication is, how to activate it, and protect your accounts from attacks and credential theft.

2FA

Table of contents

  • The weaknesses of passwords
  • What is two-factor authentication
  • Three-factor authentication: the SPID system
  • How two-factor authentication works
  • How to get the second numeric authentication factor
  • OTP via SMS: why it’s better to avoid due to sneaky phishing
  • Dedicated applications to get OTPs
  • USB tokens for two-factor authentication: the future standard
  • How to enable two-factor authentication: Google, Facebook, Instagram
  • Services offering two-factor authentication
  • Evolution of 2FA: future security standards

Protecting online accounts has become crucial. One of the most effective defenses is two-factor authentication (2FA), a system that adds an additional security layer beyond just the password.

In this article, we will explore what two-factor authentication means, when and how to enable it, the different available methods, and the best solutions to securely manage digital credentials.

The weaknesses of passwords

Despite repeated advice to choose strong passwords, users continue to use weak and predictable combinations. Passwords like “123456” or “password” are still among the most common.

The problem worsens when the same password is reused across multiple platforms, increasing risks if a breach occurs. Brute-force attacks, phishing attempts, and leaked databases highlight that passwords alone are no longer sufficient to protect account access.

What is two-factor authentication

Two-factor authentication (2FA) is a security method that requires users to confirm their identity through two distinct and independent elements. These two elements typically belong to different categories:

  • Something you know
    Such as a password, a personal PIN, or an answer to a security question.
  • Something you have
    Such as a smartphone, a physical token (like a USB security key), or an OTP authentication device.

The goal of two-factor authentication is to create a second layer of defense: even if a hacker obtains or guesses your password, they will not be able to access your account without the second factor.

Why is it important?

Passwords, no matter how strong, can be compromised through:

  • Phishing (deceptive emails designed to trick users into revealing credentials)
  • Data breaches (passwords stolen from hacked servers)
  • Brute-force attacks (systematic attempts to guess passwords)

By adding a second authentication factor, the risk of unauthorized access is drastically reduced.

Practical example: Facebook login with 2FA

Imagine that Sarah wants to log into her Facebook profile:

  1. She enters her correct password.
  2. After entering the password, Facebook asks for a verification code generated by the Google Authenticator app on her smartphone.
  3. Only after entering the temporary numeric code is she allowed access.

If a hacker had her password but not her smartphone, they would not be able to log in.

Practical example with a physical token: YubiKey on Google

John uses a YubiKey configured for his Google account:

  1. He enters his password.
  2. Google then requests him to insert the YubiKey into the USB port of his computer.
  3. Only after touching the YubiKey button does the system grant access.

In this scenario, access would be impossible without physically possessing the security key.

Three-factor authentication: the SPID system

An evolution of this concept is three-factor authentication, such as that used by SPID (Italy’s Public Digital Identity System).

Besides a password and a device, a further verification element is required, such as biometric recognition or a digital signature. Three-factor authentication ensures even higher security, especially for accessing public administration services and sensitive transactions.

How two-factor authentication works

Two-factor authentication (dual authentication) works by requiring users to pass through two separate verification steps before gaining access to an account or system.

Here’s a detailed look at the main steps:

1. Entering credentials

The first step involves entering your usual login information:

  • Username or email address
  • Password associated with the account

This represents the first factor: “something you know.”

2. Request for the second authentication factor

Once the first factor is successfully validated, the system requests a second verification element, which could be:

  • A temporary numeric code (OTP), generated by an authenticator app or received via SMS
  • A push notification sent to the registered device, asking the user to approve or deny access
  • A physical token or USB security key (e.g., YubiKey, Feitian) to be plugged in or tapped on the device

3. Access granted only after verifying both factors

Access is only granted after both authentication steps are successfully completed.
If either step fails, access is denied, effectively protecting the account even if the password is compromised.

Practical example: logging into an online banking service

  • Laura goes to her bank’s website and enters:
    • Username
    • Password
  • After login, the bank sends a push notification to Laura’s mobile app asking:
    • Confirmation of the login attempt
    • Biometric verification (fingerprint)
  • Only after approving via the app and successfully scanning her fingerprint, Laura gains access to her bank account.

Why is this system effective?

  • If a hacker steals Laura’s password, without access to her smartphone, they cannot complete the second verification step.
  • If Laura loses her phone, secure systems usually provide backup codes or recovery methods to regain account access.

How to get the second numeric authentication factor

A very popular method for the second factor is the use of numeric OTP (One Time Password) codes. These can be received via SMS, generated by specific applications or by dedicated hardware devices. Let’s look at the various possibilities in more detail.

OTP via SMS: why it’s better to avoid due to sneaky phishing

Receiving an OTP via SMS is common and easy to set up. However, it’s not the safest method. Sneaky phishing attacks and SIM swapping (duplicating a victim’s SIM card) expose this method to risks.

SMS codes can be intercepted or stolen using social engineering techniques, making two factor login insecure.

Google Authenticator:

Dedicated applications to get OTPs

A much safer method is using dedicated applications for OTP generation, such as:

  • Google Authenticator
  • Authy
  • Microsoft Authenticator

These apps generate new codes every 30 seconds independently of mobile network connections. Integrating them into your accounts strengthens your two part authentication securely.

Example setup with Google Authenticator:

1. Download the app from Google Play or App Store

2. Scan the QR code provided by the service (e.g., Facebook or Google)

3. Enter the OTP to complete the setup

USB tokens for two-factor authentication: the future standard

An advanced option for two factor authentication is using hardware security tokens like YubiKey.

These devices provide a physical second factor that must be plugged into the computer or tapped via NFC. With the adoption of standards like FIDO2 and WebAuthn, hardware tokens are becoming the future of two factor auth.

How to enable two-factor authentication: Google, Facebook, Instagram

Enabling two-factor authentication (2FA) on the most popular platforms is a crucial step toward strengthening your account security. Although the setup process is relatively simple, each platform offers different options for configuring and managing the second factor.

Let’s see how to do it in detail.

On Google

To secure your Google Account with two factor authentication:

  1. Sign in to your Google account via a web browser.
  2. Go to the Security section (found in the left-hand menu).
  3. Scroll down to 2-Step Verification.
  4. Click Get Started and follow the guided setup.

During the configuration, Google will ask you to choose your second factor. Options include:

  • SMS code sent to your phone number
  • Google Authenticator or another authentication app to generate OTPs
  • Physical security key (such as a YubiKey)

Practical example
You can choose to use Google Authenticator, scan a QR code, and start receiving time-based one-time codes for login.

On Facebook

To activate two-factor authentication on Facebook:

  1. Log into your Facebook account.
  2. Click the menu icon (top right) and go to Settings & Privacy > Settings.
  3. Navigate to Security and Login.
  4. Find the Two-Factor Authentication section and click Edit.
  5. Follow the prompts to choose your preferred method.

Facebook allows you to choose between:

  • Receiving SMS codes
  • Using an authentication app like Google Authenticator or Duo Mobile
  • Setting up a physical security key (supported on some browsers)

Tip: Facebook also lets you generate recovery codes to access your account if you lose your authentication device.

On Instagram

Instagram, owned by Meta, offers a similar setup:

  1. Open the Instagram app and go to your profile.
  2. Tap the three horizontal lines (hamburger menu) at the top right.
  3. Go to Settings > Security > Two-Factor Authentication.
  4. Tap Get Started.

Instagram offers several options:

  • SMS codes
  • Authentication apps (recommended)
  • Backup codes to store offline

Practical example
Choosing the authentication app method, Instagram will guide you through linking an app like Google Authenticator, which generates time-based one-time codes for each login.

In all cases, it is highly recommended to avoid using SMS alone to receive the authentication code, as this method is more vulnerable to attacks like SIM swapping and sneaky phishing.
Using an authentication app or a physical security key is the safest choice.

Services offering two-factor authentication

Today, almost all major platforms offer two factor authentication, including:

  • Google
  • Facebook
  • Instagram
  • Amazon
  • PayPal
  • Dropbox
  • Twitter
  • LinkedIn

Offering two factor login has become a standard expectation among security-conscious users.

Evolution of 2FA: future security standards

Two-factor authentication (2FA) has evolved significantly in recent years, adapting to the need for increasingly advanced protections against cyber threats.

Today, 2FA is moving beyond simply entering a password followed by an OTP code: new technologies are reshaping the very concept of two factor authentication.

Advanced authentication methods

1. Biometric authentication
Biometric technologies are becoming mainstream. Today, many smartphones and laptops support:

  • Fingerprint scanners (e.g., Apple’s Touch ID, Android fingerprint readers)
  • Facial recognition (e.g., Face ID)
  • Iris recognition (less common but highly secure)

These methods provide a robust second factor that is extremely difficult to duplicate or steal, significantly improving security without sacrificing convenience.

2. Physical smartcards
Smartcards are used in corporate and institutional environments to authenticate users.
They work by inserting the card into a dedicated reader or tapping it on an NFC device, combining the physical possession of a secure object with stored credentials.

3. Intelligent push notifications
Many services now send push notifications to mobile devices, asking users to approve login attempts with a simple tap.

Example
When you try to log in, you receive a smartphone notification asking, “Are you trying to sign in?” with options “Yes” or “No.”
This method simplifies the user experience while offering strong protection against phishing attacks.

Moving toward a passwordless future: FIDO2 and WebAuthn

FIDO2 and WebAuthn are standards leading the evolution of 2FA:

  • FIDO2 is a set of standards developed by a consortium of companies (including Google, Microsoft, and Mozilla) that allows users to authenticate online without passwords, using physical devices like security keys or built-in biometrics.
  • WebAuthn is a standardized web API that allows browsers to support these new authentication forms.

Practical example
With FIDO2 active, to log into a compatible website, you just plug in your security key or confirm via facial recognition—no password entry needed.

Solutions to best protect all credentials

While two-factor authentication is essential, securely managing your passwords is equally important. Several excellent tools can help you protect your credentials.

NordPass: a feature-rich password manager

NordPass allows you to store passwords, credit cards, and secure notes in one place. It supports biometric authentication and offers advanced features like data breach scanning.

NordLocker: securing passwords with encryption

NordLocker enables you to encrypt sensitive files both in the cloud and locally, protecting your data even if your device is compromised. It’s particularly useful for securely storing authentication information.

1Password: safeguarding your digital keys

1Password is one of the best password managers available. It seamlessly integrates with major browsers, supports OTPs, and offers a travel mode to hide sensitive data when traveling.

Two-factor authentication: NIST recommendations

The NIST (National Institute of Standards and Technology) recommends using two factor authentication, advising against SMS-based methods and favoring hardware tokens or authenticator apps. According to the latest guidelines, reducing phishing risks and protecting user privacy are paramount.

Strong Customer Authentication (SCA) in the banking world

In the financial sector, Strong Customer Authentication (SCA) became mandatory in the European Union under the PSD2 directive. It requires at least two independent factors among:

  • Knowledge (something only the user knows)
  • Possession (something only the user has)
  • Inherence (something that identifies the user, e.g., biometrics)

Banks and payment services must implement strong two factor authentication to protect customers during account access and online transactions.


Questions and answers

  1. What is two-factor authentication?
    It’s a security system requiring two separate elements to verify a user’s identity.
  2. When should I activate two-factor authentication?
    Always, especially on email, social networks, banking, and cloud services.
  3. What’s the safest method for the second factor?
    Using hardware tokens like USB security keys based on FIDO2 standards.
  4. Is receiving OTPs via SMS safe?
    No, it’s better to use dedicated authenticator apps.
  5. Which apps are recommended for generating OTPs?
    Google Authenticator, Authy, and Microsoft Authenticator.
  6. What happens if I lose my USB token?
    Most services offer alternative recovery options.
  7. What does Strong Customer Authentication (SCA) mean?
    It mandates at least two authentication elements for online payments in Europe.
  8. Can I use 2FA on Instagram?
    Yes, Instagram supports two-factor authentication via app or SMS.
  9. What are the best password managers?
    NordPass, 1Password, and NordLocker are among the best.
  10. Does two-factor authentication eliminate all risks?
    No, but it dramatically reduces them when combined with good security practices.
To top