What is two-factor authentication and should you use it?

Two-factor authentication, or 2FA, adds a layer of security when signing in to websites and services.

The most common way this happens is when you log in from a new phone, tablet or computer, or from a new location the website doesn’t recognise. Some websites also require 2FA every time you login or when you make a transaction.

The website will send you a code - usually via text to your mobile phone - that you have to enter before you can finish signing in.

It's an effective way to protect your online data - see why below.

Tech Support – stay on top of your tech and get unlimited expert 1-2-1 support by phone, email, remote fix and in print.

Should I use 2FA?

In short - yes. You should turn it on for every service you log in to, whether it's via an app or a website. Not every service offers it, but where it's available, turn it on. 

This is a great way of protecting your accounts, as it stops hackers who might have got your password via a data breach or phishing scam from logging in.

You can keep up-to-date on the latest scams by signing up to our free Scam Alerts service.

Is getting a code by text the only 2FA method?

No. By text is the most common way, but some websites and services also support using different methods, such as:

• Authenticator app - such as LastPass Authenticator, Google Authenticator, Okta Verify, Authy (there are many others too) work in a similar way by generating codes for you to confirm it’s you logging to a website from a new device or location
• Biometrics – your fingerprint, a scan of your iris or a scan of your face can also be used to verify it’s you and not a hacker logging in to a website
• Hardware keys - the most common is the Yubikey, which is widely supported, although there are others made to the same standards. Google has its own Titan Security Key.

Our independent lab tests reveal the best antivirus software 

How to turn on 2FA for your account

Every website or service will be slightly different, but generally you’ll find the options for 2FA in the security settings for your account.

Typically, you’ll be asked to enter your mobile number and then the website will send you a code which you type in to confirm that you want to go ahead and set it up. 

Some websites will require you to confirm your login each time, while others will only challenge your login if you’re signing in from a new device, or a new browser on an old device – or from an IP address you haven’t logged in from before.

In most cases you can tell it to recognise you from that device/browser/IP address in future, although we would recommend letting it challenge you each time.

What if I lose my phone or hardware key, or I don't have a mobile signal?

Most websites that use 2FA will also let you generate one-time codes: codes that you can print out or perhaps store safely in your cloud storage and then type in to complete your login.

If you decide to store those codes in your cloud storage you'll need to make sure you can access that if you're offline or if you've had your phone stolen, of course.

Again, it's a bit of a pain to go through all your sites and generate them, and you'll need to work out the best way for you to store them, but it's a good back-up option.

Know what to do if your laptop gets stolen

Join Which? Tech Support

Which? Tech Support can help you keep you on top of your tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices.

Get unlimited 1-2-1 expert support:

• By phone Clear guidance in choosing, setting up, using and resolving issues with your home tech devices.
• By email Outline the issue and we’ll email you our answer.
• By remote fix We connect securely from our office to your home computer and resolve issues while you watch.
• In print Which? Tech magazine, six issues a year delivered to your door.

You can join Which? Tech Support for £4.99 a month or £49 a year.