Two-factor authentication

Two-factor authentication is also referred to as 2FA or two-step verification (2SV). It offers additional protection for your accounts. The idea is that in order to access an account you have to provide your password and also some other evidence to prove who you are. This other evidence could be a code that is sent to your phone, a code that you generate using your phone or other device, or a simple prompt that you accept on your phone.

What’s wrong with passwords?

The problem with relying on just a password - even a strong password - to protect your account is that if it is ever found out by someone else, they can log in to your account and access everything you can. If you’ve used the same password for other accounts, they can potentially access those as well.

People could obtain your password in several ways. It could be eg guessed, phished, leaked in a data breach, captured by malicious software.

How does two-factor authentication work?

When you have two-factor authentication set up on an account you will first be required to enter your username/email address and password as normal. You will then need to complete an additional authentication step in order to access the account. 

This means that even if someone has managed to get hold of your password they still cannot login to your account without the additional security step. 

What two-factor authentication methods are there?

There are several different methods that can be used for two-factor authentication. The ones that are available to you will depend on which service you’re using. 

Many services will allow you to register more than one method with your account. This is worth considering in case you’re ever in a situation where your primary method of two-factor authentication is not possible (eg if your mobile phone doesn’t have any mobile network reception).

Commonly used methods include:

Authenticator app on your smartphone

An app on your smartphone generates short code (which changes every 30 seconds). You input the latest code to login. Your phone doesn’t need to have any sort of network connection in order to generate the codes.

Prompt received on your smartphone

An app on your smartphone will alert you that somebody is trying to login to your account. This then enables you to allow or deny the login. Your phone will need to have internet access (mobile network or wifi) in order to receive the prompt.

Hardware security key

A small physical device (which often looks like a USB stick) that you must connect to your device (usually via USB, NFC or Bluetooth) in order to login. They are small enough that they can be conveniently carried on a keychain.

Text message (SMS)

A short code is sent to your registered phone number. You then input the code into the website in order to login. Your mobile phone would need to have mobile network reception in order to receive the text message.

Automated phone call

An automated phone call is made to your registered number to provide you with a short code. You then input the code into the website in order to login. Your mobile phone would need to have mobile network reception in order to receive the call.

Can I use two-factor authentication with my University account?

Two-factor authentication is available for all Google accounts. Google refer to it as “2-step verification” For more information, including details on how to enable it, see:

Enabling 2-step verification on your University Google account also ensures that you will not encounter login challenges when signing into your account:

We will be begin piloting two-factor authentication for other University systems in January 2020.

Can I use two-factor authentication with my other accounts?

It depends on the service. Many do offer two-factor authentication options but you will need to read their documentation to find out what methods they offer and how to enable it.

The website TwoFactorAuth.org provides a searchable list of many popular websites with details of their two-factor authentication options.