Two factor authentication

by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Two-factor authentication definition in sum

Two-factor authentication generally means that you need more than just a password to access your online account. This means a cybercriminal would also need more than just a password to get in.

Various names for two-factor authentication include:

  • Two-factor authentication
  • 2FA
  • Multi-factor authentication
  • MFA
  • 2-step login

Two factor authentication can be used for more than just online accounts (documents, email, social media, etc.), but that is the common use case.

2FA means two separate ways of identifying you ("authenticating" you) are needed. Typically this means a password (something you know) and proving that you possess a device by entering a one-time code (something you have).

Let's say you are trying to log into your email account from a new device, and have 2FA enabled on the email account:

  • You enter your password (something you know, the first factor of authentication)
  • Your email provider then sends a text message to your cell phone number, or asks you to enter a code from an authenticator app, you do this and essentially prove you have (possess) that cell phone or device (the second factor of authentication).
  • You are "authenticated" with the two factors and the email provider allows you to login.

The computer device might remain authenticated by that email provider for that session, for a limited period of time, or indefinitely, depending on settings and choices.

Of course, the purpose of this is to keep criminals out. So imagine this scenario:

  • Cybercriminal is in country X, and has obtained your username and password (because this is what they do -- cybercriminals obtain or guess passwords all the time)
  • Cybercriminal inputs your username and password
  • If you do not have 2FA, or other cybersecurity controls, the cybercriminal is in your system, doing things as if they were you
  • If you have 2FA, the cybercriminal is not in (not yet at least). They would also need to get that one-time code from your phone.

Authentication and the three factors of authentication

To put this in context, "authentication" is the process the information system uses to identify the user. The information system could be a computer device, an email provider, etc. The information system needs to decide whether to let the user in or not.

There are three factors of authentication:

  • Something you know (like a password)
  • Something you have (like a smart phone, key fob, token, smart card), and
  • Something you are (like your fingerprint, facial features or retinal scan).

An authentication system that only requires a password is single factor. This has inherent weaknesses for accounts accessible through the internet, because passwords can be guessed or stolen.

As indicated above, an authentication system that requires more than one factor of authentication might be called two-factor authentication or any of the other similar terms.

Two factor authentication best practices in sum

Two factor authentication is important for Internet (cloud based) accounts. That is because cybercriminals have been stealing and guessing passwords for a long time. A single factor of authentication is not enough.

Here are some general principles for two factor authentication:

  • Use two factor authentication for all important cloud accounts
  • 2FA is much more secure than having a single factor of authentication
    • Passwords alone have inherent weaknesses
    • Even with 2FA, follow good password guidance
  • Important cloud accounts include email, document storage, financial, even social media
  • Application based 2FA (authenticator apps) are generally more secure than text message based 2FA
    • Text messages may be called SMS messages (SMS = short message service)
    • If the cybercriminal takes over your cell phone service, they could get your 2FA code if it comes by SMS
  • 2FA is not invulnerable, but an important step
  • Knowledge and awareness (my first pillar of security) is always important to protect against cybercrime, including cybercrime tricks (social engineering) to get that 2FA code from you
  • Don't lose your smartphone and lock yourself out
  • Implement 2FA in a methodical manner. Don't lock yourself out.  Try have all your computer devices with you (laptop, tablet, smartphone, etc. and ensure you get them all logged back in.
  • Develop and practice good habits, including with 2FA

Related terms

This is a key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform. You need to assess your own risks and decide. You assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words so cannot exhaustively cover all areas.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 4/5/2023, updated 1/25/2024.