Blog / Identity Theft

Two-factor authentication (2FA): What it is and how it works

Two-factor authentication is a popular security method that protects accounts against unauthorized login attempts. It requires users to verify their identity after submitting login credentials and deters cybercriminals who don’t have access to this information. Let’s look into how two-factor authentication works, what methods it uses to keep your accounts safe, and what other measures you can take to protect your sensitive information online.

Author image

Kamilė Vieželytė

December 2, 2025

14 min read
Background confetti decoration

Enjoy identity theft protection with fraud insurance

Get up to 71% off!

30-day money-back guarantee

View promotion details.

Key takeaways

  • Two-factor authentication (2FA) strengthens account security by adding a second verification factor after the password.
  • It uses knowledge (what you know), possession (what you have), or inherent (what you are) factors to verify identity.
  • Common 2FA methods include authenticator apps, hardware tokens, SMS or email codes, and biometric verification.
  • Two-factor authentication offers higher account security, reduced breach risk, effective implementation of regulatory compliance, and greater user trust.
  • Although 2FA is generally considered safe, it can be vulnerable to threats like phishing, SIM-swapping, as well as theft of physical tokens.

What is two-factor authentication (2FA)?

Two-factor authentication, or 2FA for short, is a security method that requires users to verify their identity with additional proof aside from a regular password. It’s most commonly used during login procedures. However, identity authentication can also be switched on for other verification purposes, like confirming a financial transaction or signing a digital document.

Usually, online accounts require single-factor authentication (SFA) as the minimum criterion to verify a login attempt — the password usually plays this role. SFA is considered a relatively vulnerable authentication method. If a website uses a password for its SFA and that password is stolen or breached, the affected user can have their account or personal data stolen.

2FA takes account security up a notch. It requires you to provide two separate proofs of your identity — something you own and something you know. This authentication secures access to personal information, like user accounts, financial records, and other sensitive data. 2FA can be completely passwordless, using more complex authentication methods, like biometrics, for protection.

Although the term “two-factor authentication” is often used interchangeably with multi-factor authentication (MFA), the two methods are distinct. MFA combines two or more authentication factors — for instance, a user needs to provide a password, a one-time code, and a token verification. Two-factor authentication is just one MFA implementation, requiring precisely two proofs.

What authentication factors does 2FA use?

When you log in to an account, you need to pass the security factors — the steps that verify your attempt as legitimate and grant you access to the service. In 2FA, people tend to use two distinct factors for better security. If one method is breached, it’s safer that the next step isn’t related to it in any way. 

The three most common factors are:

  • Knowledge, or proof of what you know. Knowledge factors are typically the first step of authentication, with passwords being among the most popular ones. However, other proofs of knowledge include passphrases (secret codes similar to passwords that involve strings of words only the user knows) and PIN codes. By entering the code, the user proves that they know what the secret answer is. 
  • Possession, or proof of what you own. Possession factors usually act as the second step of authentication. They can be broken down into two categories: Hardware and software possession. Security tokens and keys can be used for hardware-based authentication, while authenticator apps fall under software-based authentication. One-time codes sent over text messages or emails also count as a possession factor.
  • Inherent, or proof of what you are. Inherent factors cover everything biometric: Fingerprint and face ID, voice recognition, and retina scans. These factors can be used to replace knowledge factors as the first step of passwordless authentication.. 

How does two-factor authentication work?

Two-factor authentication is prompted once you pass the first step of the login process — usually by entering the correct login details or using single sign-on (SSO). As a user, you’re redirected to an authentication screen.

At the same time, the authentication server sends a code to your chosen authentication method. That may be a request to validate your fingerprint ID, enter a one-time code you need within a limited time, or it may read your physical authentication key for a matching response. If the code you provide matches the authentication request, your login attempt is verified, and you can access your account.

How does two-factor authentication work?

For security purposes, the code requests tend to refresh regularly. This is done to avoid brute-force attacks, which could otherwise quickly guess the authentication code. One-time codes used for authentication can be time-based or hash-based. Time-based codes refresh in regular intervals — usually every 10-60 seconds. Users can adjust the refresh period based on their personal preferences. Hash-based codes are generated each time you attempt to log in, although they can be refreshed manually to lower the risk of breaches.

Types of two-factor authentication

Two-factor authentication can be used in different ways and in different combinations during the login steps. Some are apps that continuously generate authentication codes in the background. Others require you to carry a physical device that verifies your login attempts.

However, people usually opt for one of the four common 2FA types: apps, tokens, text messages, and biometric verification. Some methods are deemed more reliable than others, but generally, the method people use is down to personal preference.

Types of two-factor authentication

Authenticator apps

Authenticator apps are used to verify a user’s possession factor. They generate time-based one-time passwords (TOTPs) for any account you want to protect with two-factor authentication.

Authenticator apps, like Google Authenticator or Microsoft Authenticator, are easy to set up. The website or app you want to add 2FA to will usually ask you to scan a QR code. Once scanned, it will redirect you to your preferred authenticator app and start generating one-time codes.

For your convenience, some authenticator apps will send push notifications to quickly confirm your login attempts without needing to copy or manually type the codes. This can be helpful if you use time-based codes that refresh quickly.

Hardware tokens

Hardware tokens are one of the oldest types of security authentication. They’re commonly used by businesses to protect employee and shared accounts. These can be flash drives, key fobs, or smart cards that generate new codes periodically.

Once you enter your login credentials and are required to provide the code, you can press a button on your hardware token to enter the code, or your authentication device may autofill it for you.

Compared to software-based authentication methods, hardware tokens pose unique security risks. Users must always have them on their person. Otherwise, they can’t authenticate login attempts, whereas authenticator apps can synchronize more easily if you switch to a new device. They’re built for computers and aren’t as efficient for authenticating login attempts on mobile devices. Hardware tokens can be easily lost or stolen, making them a physical security risk. 

Emails, texts, and voice messages

One-time codes can be generated without the use of an authenticator app. Some websites and apps can send a one-time code directly to the user when they detect a new login attempt. These can usually be shared via email, text message, or a voice call.

Both email and SMS passcodes function similarly. Once you receive the message, you have a limited amount of time — usually between a few minutes and 24 hours — to enter the code and verify your login attempt.

Voice messages use pre-recorded audio to dictate the numbers of the randomly generated authentication code, typically repeating it twice. Voice message authentication can be an accessible security feature for users who are visually impaired.

Biometric authentication

Biometric authentication is an increasingly popular 2FA method that uses biometric data to verify login attempts. Instead of temporary codes or hardware, it requires your physical characteristics as the main factor.

After submitting your username and password, biometric authentication will ask you to verify your identity, which usually involves using your fingerprint ID, facial or voice recognition. Some biometric methods can be more invasive, like retina scans or DNA recognition. However, such invasive methods are used in very rare instances.

Biometric authentication can cause some concerns about user privacy because it pertains directly to identity. Users may unexpectedly become unable to use their authentication due to injuries. In some anecdotal cases, identical twins have been shown to access their siblings’ biometric authentication. The rise in AI-generated audio content can also endanger accounts protected with voice recognition if cybercriminals imitate the account owner’s speech using this technology.

Examples of two-factor authentication

Although passwords are often the first step of two-factor authentication, users can use different combinations of factors to protect their accounts.

  • Password + SMS or email code. After submitting your password, you receive a text message or an email with a verification code.
  • Password + authenticator app. Once you provide your password, your authentication app generates a new code or sends a push notification to verify the login.
  • Password + hardware security key. After entering the password, you need to insert the hardware key into your device for authentication.
  • Password + biometrics. Use your chosen biometric authentication method to verify your login attempt.
  • PIN + hardware security key. Enter your set PIN code and verify it with the security token. 
  • PIN + biometrics. Enter the PIN code and verify it with your preferred biometric method.
  • Biometrics + authenticator app. Use biometric authentication to initiate the login attempt and verify it with the authentication code.

Is 2FA safe to use?

Two-factor authentication is generally safe to use. However, over the years, cybercriminals have developed various tactics to circumvent and breach even accounts with more than one protective measure.

Older methods like hardware tokens were designed with only computer authentication in mind. They can’t be easily used in combination with mobile devices. The risk of losing the token can also pose severe security risks. Software tools like authenticator apps can be set to privacy mode, preventing unauthorized access. However, for the hardware device, possessing it is enough to verify the login attempt if the device is bound to a specific account.

Given the increasing vulnerabilities in two-factor authentication, cybersecurity experts are developing new ways to improve account security. One of these is passkey authentication — a login method that combines biometric authentication with cryptographic keys.

Passkeys allow users to bypass the password login process while still supporting two-factor authentication for individual accounts. When a passkey is created, it generates a public and a private key. The public key is stored on the website’s server, while the private one is kept on your device. The pair of keys must match during the login. Otherwise, the authentication fails.

Benefits of 2FA

Two-factor authentication offers reliable protection against breaches for user accounts. Although the different 2FA methods are not foolproof, they are nonetheless harder to breach than single-factor password authentication and can efficiently help protect your personal information.

  • Heightened account security. Two-factor authentication adds extra protection to accounts by requiring additional information alongside regular login credentials.
  • Lower risk of data breaches. The second authentication layer makes it harder for cybercriminals to breach accounts and commit identity theft.
  • Protection for sensitive information. 2FA can be enabled on accounts that grant access to sensitive data, like cloud storage, medical records, or financial information.
  • Deters cybercriminals. Executing successful 2FA code theft is complex, and cybercriminals are less likely to go after accounts with additional authentication.
  • Regulatory compliance. Regulatory standards like NIST strongly recommend organizations enforce 2FA or MFA policies to secure employee accounts.
  • User trust. Users are more likely to feel secure when they know their accounts are guarded with extra security measures.
  • Remote and hybrid work security. 2FA lets remote employees securely access their work accounts anywhere in the world, as long as they have their preferred authentication device with them.

Limitations of 2FA

Despite the security advantages, two-factor authentication still has downsides that might make it inconvenient for some users.

  • Vulnerabilities. Two-factor authentication can be vulnerable to complex phishing scams and cyberattacks, which, despite users’ efforts, may still endanger account security.
  • Inconvenience. 2FA slows down the login process. If you need to quickly access an account, having to locate the code can be inconvenient, especially if it’s nearing its reset time.
  • Dependence on devices. If you have two-factor authentication on, you must have access to your authentication device at all times. If you forget your phone with the authenticator app or the hardware token, you’re essentially locked out.
  • Not universally supported. Not all platforms offer the same authentication methods, and not all devices might support your preferred one. This can force some users into using a combination of authentication methods, which can be inconvenient when managing many different accounts.
  • Expensive. Hardware-based authentication methods that companies use can be expensive to procure and replace in case users lose them.
  • Not user-friendly. Setting up two-factor authentication can be confusing for less tech-savvy users. They may opt for more vulnerable methods like SMS authentication, which they find more convenient, or skip it altogether to log in quicker.

Can two-factor authentication be hacked?

Yes, although two-factor authentication can provide reliable account security, it can still be hacked. Although one-time codes may appear secure due to their randomization, phishing scams are developed to deliberately steal this data.

Cybercriminals develop phishing websites where users can submit their login credentials and be forwarded to a 2FA page. They then enter the real code from their app as usual, and cybercriminals quickly snatch it and use it to log in with the credentials they’ve just acquired. Users see that their code didn’t work and attempt to generate a new one, which the criminals then also steal, in case the previous code has already expired.

SMS-based authentication is also prone to spoofing. Hackers engage in SIM-swapping attacks, gaining access to your phone number under false pretenses by contacting the phone carrier directly. Then, if they already have your login credentials, they receive the authentication code on their device, and your account gets stolen without your knowledge. For this reason, SMS authentication is considered vulnerable, and it’s generally advisable to use an alternative method instead.

Keep in mind that even with these risks, an account protected with 2FA is still more secure than an account without it. 2FA scams are more complex and not as widely spread as attacks targeting passwords directly. If you suspect that your chosen authentication method might be vulnerable, the platforms you use might allow you to change it to a different one.

How to turn two-factor authentication on and off

You can usually manage your two-factor authentication in the settings of any account or app where you want to use extra protection. The steps may vary depending on the account. However, two-factor authentication is usually located under privacy or security settings.

Once you locate the setting, you can switch it on and select your preferred authentication method. That may be using a one-time code, biometric authentication, an external device, or setting up a passkey. If you want to use a one-time code, you will usually need to download an additional authenticator app that will generate these codes automatically.

If you decide that you want to stop using 2FA, you can turn it off under the same settings. In some instances, you may be asked to enter your password or authentication code to confirm this decision. This is done as a security measure to prevent cybercriminals from meddling with the settings without your authorization.

Additional ways to improve your online security

In addition to using two-factor authentication to secure access to your accounts, you can take other measures to protect your personal information online:

  • Use strong and unique passwords. Ensure all your accounts use unique passwords that are hard to crack. Use a combination of uppercase and lowercase letters, numbers, and special characters.
  • Use passkeys when you can. Consider using passwordless authentication for accounts that support it. Passkeys provide a higher level of security than regular passwords.
  • Keep your personal information in encrypted storage. Use encrypted storage to secure access to personal data and avoid unexpected breaches.
  • Update your software regularly. Ensure you install security patches that fix system vulnerabilities to prevent cybercriminals from exploiting them.
  • Keep backups of your personal files. In case your sensitive data is compromised, having a backup helps you restore access more quickly.
  • Only use secure Wi-Fi networks. Use a VPN when you connect to open Wi-Fi networks in public spaces like cafes to secure your network traffic.
  • Scan your device for viruses. Check your device for malware you may have accidentally downloaded and overlooked.
  • Limit what you share online. Do not reveal unnecessary information on public platforms — including which authentication method you use.
  • Get identity theft protection. Prioritize the safety of your personal information with identity theft protection. NordProtect provides dark web and credit monitoring, keeping you in the loop about data breaches and online fraud. You can also secure your NordProtect account with multi-factor authentication, ensuring only you can access information about your personal accounts.
  • Switch on security alerts. Stay informed about cyber incidents by setting up security alerts and notifications on your device. 
Background confetti decoration

A deal to celebrate!

Up to 71% off on identity theft protection with fraud insurance

30-day money-back guarantee

View promotion details.

FAQ

Does two-factor authentication prevent hacking?

No, two-factor authentication doesn’t prevent hacking. However, it increases account security by requiring cybercriminals to complete additional verification even if they gain the account password. Unless they have direct access to the verification means, whether it’s a one-time code, a hardware key, or biometrics, they can’t gain full access with just compromised login credentials. Although criminals may attempt to brute-force one-time codes, the process is complicated and time-consuming.

What is the difference between two-factor and multi-factor authentication?

Two-factor authentication is a type of multi-factor authentication. MFA requires users to complete two or more verification steps to log in to an account or access sensitive data. 2FA determines that exactly two factors are needed for this authentication.

How does two-factor authentication work with single sign-on (SSO)?

SSO allows users to centralize their login process by using a shared token to access multiple accounts. Users can set up two-factor authentication to secure access to the main account used for single sign-on. That way, each time the user logs in via SSO, they need to provide additional verification. However, instead of needing to set up different authentication codes for each account, they can use a centralized 2FA method to verify their identity. For instance, if they use a Google account for SSO, they can set up a one-time code each time they log in to a different service via Google.

How can I disable two-factor authentication?

You can usually disable two-factor authentication by logging into an account and accessing its security settings. There, you can find an option to turn off two-factor authentication. Note that, depending on the service provider, you may be required to provide verification, like your password, to confirm this change because it directly impacts your account security.
Author image
Kamilė Vieželytė

Kamilė is curious about all things compliance. She finds the prospect of untangling the complicated web of cybersecurity legislation satisfying and aims to make the nuances of identity theft prevention approachable to all.

The credit scores provided are based on the VantageScore 3.0® credit score by TransUnion® model. Lenders use a variety of credit scores and may utilize a different scoring model from VantageScore 3.0® credit score to assess your creditworthiness.

You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.

No single product can fully prevent identity theft or monitor every single transaction.

Some features may require authentication and a valid Social Security Number to activate. To access credit reports, scores, and/or credit monitoring services (“Credit Monitoring Services”), you must successfully pass your identity authentication with TransUnion®, and your VantageScore 3.0® credit score file must contain sufficient credit history information. If either of these requirements is not met, you will not be able to access our Credit Monitoring Services. It may take a few days for credit monitoring to start after a successful enrollment.

NordProtect's dark web monitoring service scans various sources where users' compromised personal information is suspected of being published or leaked, with new sources added frequently. Service logos displayed in dark web monitoring alerts are provided by Logo.dev and represent services where users have accounts. These logos are included in alerts to help users quickly identify which service may have experienced a data breach affecting their personal information.

However, there is no guarantee that NordProtect will locate and monitor every possible site or directory where consumers' compromised personal information is leaked or published. Accordingly, we may not be able to notify you of all your personal information that may have been compromised.

Identity and cyber protection benefits are available to customers residing in the U.S., including U.S. territories and the District of Columbia, with the exception of residents of New York and Washington. Benefits under the Master Policy are issued and covered by HSB Specialty Insurance Company. You can find further details and exclusions in the summary of benefits.

Our identity theft restoration service is part of a comprehensive identity theft recovery package that offers a reimbursement of up to $1 million for identity recovery expenses. To access the support of an identity restoration case manager, you must file a claim with HSB, which NordProtect has partnered with to provide the coverage. HSB is a global specialty insurance company and one of the largest cyber insurance writers in the U.S.