How it works
Two-factor authentication is generally carried out by typing in a four or six-numeral code sent to you by text message or email, or generated by a mobile app, or increasingly, by a face or fingerprint (biometric) scan. Security can be further increased by the application of multi-factor authentication (MFA) which typically combines entering a code and having a biometric scan. In some cases, it is carried out by plugging in a security key (a special kind of USB stick) or generating a code on a hand-held keypad supplied by your bank or other organisation.
Why it is necessary
There are a number of reasons why two or multi-factor authentication has become increasingly necessary, all based on password security. If a criminal gains access to your login details (combination of username or email address and password), they have free rein to gain access to any of your online accounts to steal your money or commit identity theft. They obtain these login details in three main ways:
- Deception (or ‘social engineering’): tricking or manipulating you into revealing your login details by impersonating your bank or other trusted organisation in fraudulent emails, phone calls, texts and direct messages.
- Hacking: using details stolen in data breaches. If your data is held insecurely by the company or website that is breached, they can gain access to your details. If you use the same login details for more than one account or website, they can use the same login details to access all of the others.
- Guessing/cracking: Many people use the names of family members, pets or sports teams as all of part of their passwords. Aware of this, criminals use social media, sometimes combined with other elements gleaned from your online presence, to guess your password. Many also use sophisticated software to crack your passwords in a matter of seconds.
If someone has obtained your passwords in any of these ways, it is unlikely they will be able to gain access to your accounts unless they have unlocked access to the device to which the authentication code has been sent. If the authentication factor is biometric, they would need to be able to scan your face or fingerprint on the device registered on your account.
It is also possible for a criminal to overcome two-factor authentication by carrying out a SIM-swapping attack, where they impersonate you to convince your mobile network to provide them with a SIM in your name – and with your mobile number – to enable them to obtain our two-factor authentication codes. No security is infallible, setting up two-factor authentication on an online account will certainly help to prevent unauthorised access.
- Always choose greater protection by agreeing to two-factor or multi-factor authentication when it is offered.
- Never use the same password for more than one online account or website.
- Read Get Safe Online’s advice on this website on choosing and using passwords safely.
- Protect your mobile devices from theft or loss, as they can both contain and provide easy access to a great deal of confidential information, including authentication messages.