Why do we need two-factor authentication (2FA)?

Weak and/or stolen passwords are one of the biggest cybersecurity risks. In 2024, nearly half of surveyed Americans reported having their password compromised during the preceding year, with over three-quarters having personal information stolen from hacked accounts.

It’s not just our information that’s at risk. If hackers manage to hijack our online accounts and apps, they could also transfer funds, make fraudulent purchases, or even run up credit in our name. Securing the log-in process is therefore vital to keeping our digital identity and finances safe.

What is 2FA?

Two-factor authentication (2FA) helps to enhance password-based security by demanding two different types of identification before granting access to an online account, app, or device. In practice, this is usually:

  • Something you know like a password or PIN, and...
  • Something you have like your phone, a hardware token/key, or authenticator app

2FA means that even if a hacker gets hold of your password - which they could do via various methods - they will still not be able to get into your account.

This matters, because:

  • There was a near-record number of data breaches in the US in 2024, impacting over 1.3 billion victims. Many of these individuals had passwords and usernames stolen
  • Businesses often notify customers about brute-force attacks, where threat actors either guess or use previously breached credentials to hijack accounts
  • Phishing remains one of the top ways to trick victims into handing over their passwords

What’s the difference between 2FA and MFA (multi-factor authentication)?

2FA is a type of MFA. As the name suggests, 2FA involves two separate factors (e.g., password + hardware key), but MFA is a broader term referring to any combination of two or more factors (e.g., fingerprint + smart card + PIN).

MFA is often used in highly sensitive enterprise environments where multiple factors are required.

What’s not in doubt is how important both 2FA and MFA are to your security. According to Microsoft, more than 99.9% of compromised accounts don’t have MFA.

The two factors in 2FA

What do we mean when we say “factor” in this context? Authentication factors come in three flavors:

Factor Type

Examples

Something you know (knowledge)

Passwords, PINs, security questions

Something you have (possession)

Smartphones, hardware tokens, smart cards

Something you are (inherence)

Biometrics like fingerprints, facial recognition, iris scans

As mentioned, 2FA requires two of these three factors, while MFA could involve more than two.

What are the different types of 2FA?

Method

Factor Type

    Description

SMS codes

Possession

One-time passcodes (OTPs) sent via text message to your phone.

Authenticator apps

Possession

Time-sensitive codes generated by specialized apps like Google Authenticator, Microsoft Authenticator, Authy or ESET Secure Authenticator.

Push notifications

Possession

An app sends a secure authentication request to your device (if it has been pre-registered and is trusted). You simply approve or deny it.

Hardware tokens

Possession

Devices like YubiKey or Token2 that use public key cryptography to log you into specific sites or services by inserting into a PC or tapping against your device.

Biometric authentication

Inherence

Fingerprint or facial recognition (usually paired with device PIN), e.g. FaceID.

Email-based codes

Possession

OTPs sent to a verified email address.

Magic links

Possession

URLs featuring unique and time-sensitive embedded tokens are sent via email/message. Just tap them to authenticate.

The most secure 2FA methods (ranked)

  1. Hardware security keys: Extremely resistant to remote attacks like phishing and malware because you carry them around with you. Also cryptographically bound to your legitimate website’s domain so they won’t work with fake sites.
  2. App-based authenticator codes: Generate OTPs offline so they aren’t vulnerable to phishing or SIM swapping. They’re also immune to MFA fatigue, and codes are time sensitive which guards against interception.
  3. Push notifications: Very user friendly, but susceptible to social engineering or MFA fatigue attacks—where a hacker repeatedly tries to login, creating a barrage of notifications which you eventually click on to make them go away.
  4. Biometrics (combined with a PIN): Potentially at risk of deepfakes or theft of irreplaceable biometric information stored by providers.
  5. SMS codes: Easy to use but can be intercepted via phishing attacks, SIM swapping, unsecure public Wi-Fi, and spyware.
  6. Email OTPs: These are least secure because email is highly vulnerable to phishing attacks, which could expose your OTP, or if there’s already malware on your device/PC. Emails are usually not end-to-end encrypted, meaning they could also be intercepted en route.

Remember, any 2FA is better than none. But try not to use SMS or email as threat actors are increasingly good at targeting these methods. The FBI and CISA explicitly warn against using SMS OTPs.

How 2FA works

2FA should work seamlessly. All you need to do is:

  1. Enter your username and password.
  2. Verify your identity as prompted, using a second factor:
  • A code sent via SMS or email
  • A push notification on your phone
  • A code from an authenticator app
  • A biometric scan (like Face ID)
  • Inserting your hardware key/tapping it against your mobile device
  1. Only after both steps are completed will access be granted.

*Remember: even if an attacker has your password, they can’t continue without the second factor - minimizing the risk of account takeover.

The main advantages of 2FA

Mitigates password breaches: Offers protection even if your password is leaked or stolen from a business you entrusted it to.

Defends against phishing and keylogging: Prevents remote attackers from using logins they harvested via malware from your device/PC or tricked you into divulging over text/email.

Defends against brute-force attacks: Prevents malicious third parties using automated software to guess your password multiple times or use previously breached passwords you might have shared across accounts.

Reduces identity fraud: Minimizes the risk of identity fraud and financial loss stemming from account takeovers by restricting access to critical personal and financial info stored in those accounts.

Strengthens and simplifies your security posture: 2FA is simple to deploy, offered widely by app developers and can reduce the need for you to remember passwords (e.g., in the case of biometrics or push notifications).

The key disadvantages of 2FA

However, 2FA isn’t perfect. Common downsides include:

Usability: 2FA adds an extra step to the login process, although it greatly enhances security in doing so.

Access: Losing your second factor (e.g. phone, token) can lock you out of your account and be a major inconvenience. Similarly, poor mobile/data network coverage may add an extra barrier to the 2FA process.

SMS/email vulnerabilities: OTPs sent via text are vulnerable to SIM-swapping, interception/phishing, keyloggers and MFA fatigue. Email OTPs are also vulnerable to phishing, MFA fatigue and keyloggers.

How to enable 2FA on your iPhone

For Apple ID:

  1. Open the Settings app
  2. Tap your name > Sign-In & Security
  3. Tap Two-Factor Authentication
  4. Follow prompts to add and verify your phone number

For third-party apps (e.g. Gmail, Instagram, etc.):

  1. Go to the app’s Security Settings
  2. Enable 2FA and select your preferred method if offered (e.g. SMS, email, authenticator app)

Alternatively, you can switch on FaceID, if offered, by going to Apps, then tapping on the app you want to enable it for.

If using an authenticator app, it’s easier to set it up on your computer.

  1. Install your chosen authenticator app.
  2. Log into your online account on your PC.
  3. Navigate to account settings and look for “security”, “privacy” or “two factor authentication”.
  4. Click on the authenticator app option.
  5. Launch the authenticator app and click on “add account” or similar.
  6. Choose “scan QR code” and scan the code displayed by your online account/app.             

Best practices for using 2FA

Bear the following in mind to optimize your use of 2FA and maximize your security:

  • Use authenticator apps or hardware keys instead of SMS/email OTPs
  • Enable 2FA on your email accounts first - they’re often the recovery gateway, so you need to protect them from account hijacking
  • Back up your 2FA methods with recovery codes or alternative verification
  • Use a password manager to store credentials and recovery info securely
  • Be alert to the risk of phishing - some attackers spoof 2FA prompts to trick users
  • Consider passkeys. These combine possession (mobile device, PC, or hardware key) with inherence (biometrics) or knowledge (device PIN). It’s simple to set up via a biometrics scan or device PIN and is supported by a growing number of tech vendors/developers. Even better, passkeys are extremely robust and resistant to interception and phishing. 

2FA is a great first step, but it’s just the start. To optimize the security of your accounts, combine it with strong, unique passwords. Tools like ESET Unique Password Generator make it easy to create unique, secure credentials that are hard to crack - for all of your family’s accounts.

For complete peace of mind, ESET HOME Security adds multi-layered protection - blocking phishing attempts, detecting threats in real time, and securing your browsing and email. So even if your login details are compromised, your devices and data stay safe.

ESET HOME Security

For enhanced protection tailored to microbusinesses, check out ESET Small Business Security.

Expert insights

As long as users are required to rely on passwords for authentication, 2FA and MFA remain vital protective mechanisms to ensure that access control is robust enough to withstand a growing number of attacks. However, like any other security technology, even these additional steps cannot offer 100% protection, especially if the user is manipulated into making mistakes or surrendering control of their device to an attacker.

In recent years, ESET research has documented a variety of techniques circumventing both SMS-based and app-based 2FA solutions. First, with SMS 2FA, malware can be configured to automatically forward incoming messages containing authentication codes, or it may manipulate the user into setting up a malicious app as the default SMS application. This grants the threat actor direct access to all SMS content, including 2FA codes. Second, for software-based 2FA - such as authenticator apps - attackers frequently exploit accessibility services, allowing malware to read notification content or even interact with the 2FA application itself in order to extract valid codes.

Another, more universal and broader, approach involves remote control tools, such as remote desktop protocol (RDP), virtual network computing (VNC), or remote features of specific applications like WhatsApp. Here, the attacker masquerades as technical support, gaining full control over the victim’s device, enabling them to view or capture authentication codes in real-time.”

-        Lukáš Štefanko, Senior Malware Researcher

Conclusion

Our logins hold the keys to our digital lives, so protecting them must be a priority. As threat actors get better at guessing, stealing, and using these credentials, we must get smarter about protecting them. 2FA isn’t foolproof, but it can significantly enhance your account security with relatively little effort. Choose the most robust methods available and take back control of your digital life.

Frequently asked questions

What is the difference between 2FA and MFA?

2FA is a type of MFA. 2FA involves two separate factors (e.g., password + hardware key), but MFA is a broader term referring to any combination of two or more factors. It’s often used in high-security environments.

What are the most secure forms of 2FA?

Passkeys, hardware keys, and authenticator apps.

Why do I need 2FA?

To protect against the risk of hackers using your logins to hijack your most sensitive accounts as they may get hold of your passwords via data breaches, malware, phishing, or brute-force attacks.

What are the drawbacks of 2FA?

It introduces an extra step to log in, and if you lose a second factor you may be locked out of your account. They also can be targeted by cybercriminals so stay vigilant. However, the benefits outweigh the negatives, especially if you choose the most secure and user-friendly 2FA methods.

Are passkeys the same as 2FA?

Passkeys could be thought of as a type of 2FA. The system combines possession (mobile device, PC, or hardware key) with inherence (biometrics) or knowledge (device PIN). It’s easy to set up and means you can log in without needing to enter a password at all.