What Is Two-Factor Authentication and Why You Should Use It

This short video and explainer is summarized from The Motherboard Guide to Not Getting Hacked , our comprehensive guide to digital security.

Having a strong, unique password might not be enough if hackers trick you into giving it away or steal it from your email provider or bank.

That’s why for your most sensitive accounts—think your email or banking accounts—you should set up two-factor authentication (or 2FA). This simply means adding a second step to log into your accounts. First, the password. And, second: either a code sent to your cellphone via text message, or created by a special app on your phone. Even better, the second step can be inserting a physical token such as a security key.

Hackers are getting better at phishing 2FA codes or stealing them by taking advantage of flaws in the backbone of cellular networks worldwide, known as SS7. So using security keys is the best way to make phishing practically impossible, and is the most secure way to do two-factor authentication. You should avoid using SMS if possible, as it’s a two-factor method that’s relatively easy to attack.

With SMS or app-based 2FA, hackers can still trick you into giving those codes out to them. But if you use a physical security key, that can’t be phished. A hacker would have to steal your password and then physically steal your security key to hack into your account. The security advantages provided by security keys are the reason Google has launched a new feature called Advanced Protection, which requires the use of these physical devices.

With two-factor, even if the hackers steal your passwords, they still won’t be able to get in.