Two-factor authentication

When you use two-factor authentication (2FA for short), anyone trying to get into your account has to go through two layers, instead of just the single layer of your password, to gain access to your account.

Two-factor authentication is one of the most important steps (after using a password manager) that you can take to improve your security online. Many attacks these days come from breaches of password databases; by having a second factor instead of something easily copied like a password, you can make it much harder for an attacker to get into your account.

A drawing of a security key on a keychain, with a teapot spout behind it.

Using a hardware security key also provides you with incredibly strong protection against phishing. Your browser communicates the website's name to your security key, which responds with an answer specific for that website. If you're accidentally visiting a website that is a phishing site instead of the real one you wanted, the security key won't even be able to compute the right answer - meaning the phishing site can't pass this along to log into the real site. Security keys with this protection are standardized by a group called "FIDO" and are usually advertised as such. You may also see references to the current FIDO protocols "WebAuthn" and "CTAP" or the older but still secure protocol "U2F".

Security keys are relatively cheap, but it's another thing to carry on your keychain. Another option is to install an authenticator app on your phone - this is nearly as secure but does not protect you against phishing. Weaker options include email and SMS, which are better than not using 2FA at all but not very secure.

For more on 2FA, including the differences between the various 2FA methods, check out the following resources on our site:

  • Our two-factor authentication zine is a detailed overview you can print out on three sheets of paper and give to all your friends.
  • Our episode "Two-factor authentication and account recovery" (June 12, 2018) goes into detail about the meaning of "factor," different methods, and how to minimize the risk of getting locked out of your accounts. The show notes go into detail about a few popular services and suggest various 2FA applications and devices.
  • Our episode "Two-factor tidying" (May 16, 2019) discusses how to stay on top of the wide variety of two-factor methods available for your accounts and provides tips for keeping track of your second factors with your password manager.
  • Our September 2018 security stories episode covers some of our own experiences with 2FA and recovery. In particular, if you're getting a YubiKey Nano, see that episode's show notes for tips on how to prevent it from accidentally typing one-time passwords all the time.

You can also subscribe to Loose Leaf Security episodes in your favorite podcast app.

We also recommend the following external resources:

  • twofactorauth.org is a crowd-sourced list of websites, what two-factor auth mechanisms they support, and what their documentation is.
  • Facebook security engineer Brad Hill maintains reviews of several U2F devices, originally based on reviews from Google security engineer Adam Langley. If you're trying to decide what security key to buy, this is a great resource, and there are multiple security keys under $15 with good reviews.