Two Factor Authentication: How does it work & why do we need it

Two factor authentication - How and Why

More and more often hackers target major online services, web shops and email providers. The latest big target for hackers was the website for cheaters; "Ashley Madison".

So is only a login and password still adequate? Can we still trust that familiar way of security? With two factor authentication you can add an extra layer of security to your data. In this article I show you what two factor authentication is, how it works and why we need it.

What is Two Factor Authentication?

Two Factor Authentication, 2FA or TFA is a better way to protect your online accounts. Besides entering the password into your account you also have to enter an additional code that you generate through a personal device.
TFA is an authentication process in which two out of three factors mentioned below are necessary to recognize you as a valid user.
  • Something you know - This is your password, PIN, passphrase or a similar code.
  • Something you have - Something like a smart card, a pass or other hardware
  • Something you "are" - This is for example your fingerprint, your iris pattern, voice recognition or your heartbeat.

TFA is working when two out of three are used correctly.

An example from everyday life:

If you're going to withdraw money you need two things: A debit card and your PIN. Your debit card is something you have, your PIN is something that you know. With this combination you get access to your bank account. If someone has your card, but he or she doesn’t know the correct PIN, then it stops right there. The other way around is identical, while there is a list online of all PINs, but having no corresponding debit card will not get you far.

More and more web services uses Two Factor Authentication in order to secure access. They use an SMS verification code or a smartphone app to generate the additional code that you must enter. The most used app is Google Authenticator, others are AlterEgo and Authie. Although it’s more common for businesses to use SMS.

How does this (Two Factor) Authentication work?

The good news is that you can set up TFA fairly quick and it works very much the same way at each different service. The bad news is that you have to set it up yourself and sometimes you have to look closely where you can configure the settings.
TFA works according to the same principle on almost every website: After typing your login name and password you need to enter an additional code or text that you receive via SMS or an additional app like Authenticator. Only after 
entering this extra code you get access to the secure part of the site. If a website is offering TFA, you'll often need to activate it yourself.

Cybersecurity expert advises Two Factor Authentication

CM had a very interesting interview about security with Kimo Quaintance (Lecturer Cyberpower & National Security) @ Mobile Convention Brussels 27-11-2014. 

Are you already using 2FA?

Not every major service offers two factor authentication, but I suspect seeing a lot more of TFA since hacks and bugs get so much attention.
I think 2FA is a prelude to a new way of identification and authentication for online services. Ultimately, this will not happen with codes, but with biometric services such as your pulse or the iris of your eye. Until then 2FA is a great way to protect you.
Note: 2FA gives you better security but it is still not 100% secure. Researchers already hacked the security of Dropbox and already know how to get around it. And if you're already using 2FA, it is still wise to generate the codes again because bugs like Heartbleed could have affected your Two Factor Authentication codes.
So stay alert to changes in your accounts!


Free trial available

Enjoyed this article? Please share the news!

About the author

Rob Aelberts

Connect with Rob on