Clearing up some 2FA myths.
You mean I have to do this every time I sign in?
If someone gets my second factor, does that mean they can just waltz into my account?
If I lose my second factor, doesn’t that mean I’m locked out forever?
Can’t a second factor be faked/spoofed/intercepted, and doesn’t that make it worthless?
I don’t have or want a mobile phone, so I can’t use two-factor.
There’s a lot of misinformation around two-factor authentication. This can lead people to avoid it, even though it’s one of the most effective ways to secure their online accounts.
I want to clear up some of the myths around two-factor authentication. It’s not nearly as confusing or as scary as you might think it is.
Become a Patron of Ask Leo! and go ad-free!
Two-factor myths busted
Two-factor authentication (2FA) adds a second check (something you have) to your password (something you know). You only use it when signing in on a new device or browser. Losing the second factor isn’t fatal: backup codes, recovery options, or spare keys get you back in. 2FA blocks almost all hacks. I encourage you to enable it everywhere.
What is two-factor?
First, we have to define what we mean by two-factor authentication (2FA), which is sometimes referred to as multi-factor authentication (MFA).
Traditionally, you sign into an online account with a username and password. These are things you know. By keeping the password secret, your ability to provide it theoretically proves that you are you and should be allowed into the account.
A second factor is typically something you have.1 For example, after 2FA is set up, after entering your username and password, you might be asked to prove you have access to your mobile device by entering a code that was sent to it. (I’ll discuss other forms of 2FA below. Not all require a mobile device.) Your ability to provide the code that was sent to your device proves you possess the physical device, your second factor.
Two factors got you into your account: something you know (your password) and something you have (your device).
Requiring that second factor adds security because even if a hacker somehow learns your password, they still can’t get into your account because they don’t have your second factor.
It’s NOT every time
Two-factor authentication is used only once2: the first time you sign in to an account on your computer. After that, your device becomes “trusted”, and signing in later requires only your password, as before.
Of course, it’s not quite that simple. Two-factor may kick in:
- The first time you sign in using a different browser.
- The first time you sign in on a different machine.
- The first time you sign in after clearing cookies.
- After some length of time defined by the service you’re signing into; for example, after 30 days.
- If the service you’re signing into detects “suspicious” activity on your account.
Those are rare, though, so in practice, you need to use two-factor only occasionally; certainly not every time you sign in.
Every sign-in from a hacker meets the “first time you sign in on a different browser/machine” criteria. Thus, they’ll always be asked to provide your second factor, which they don’t have.
A second factor alone is not enough
Remember, it’s two-factor authentication. You need both your password and your second factor to sign in that first time.
That means having your second factor fall into the hands of a hacker is an issue only if they also know your password.
The people who might find (or steal) your second factor are rarely the same people who might gain access to your password. The former, of course, need to be close enough to get their hands on the factor, and the latter are typically overseas working their scams.
If you lose your second factor, you can quickly disconnect it from your account by signing into the account and turning off or changing the existing two-factor configuration.
Related
Another Way to Protect Yourself From 2FA Loss
A little bit of preparation when you set it up can make losing your Google Authenticator 2FA device a minor inconvenience.#167669
Losing your second factor is an inconvenience, not a disaster
If you lose your second factor, you will not be locked out of your account.
There are two safety nets in place, plus a third if you take additional steps.
Backup codes. First, when you set up two-factor authorization for an account, you’ll be prompted to create and/or save a set of backup codes. Each of these codes can be used once in place of your second factor. Once you sign in, you can temporarily turn off 2FA or change it to a replacement device. The backup codes need to be stored securely, but as long as they’re accessible to you, you can always get back into your account.
Account recovery. Second, services offer many account recovery techniques (AKA “I forgot my password”) to confirm you are who you say you are without your second factor. They may send an email message to an associated recovery account, a text message to a different recovery phone number, or any of several pre-configured recovery options. After you jump through these additional hoops, the service may accept your sign-in without the second factor. This doesn’t invalidate 2FA as a security measure, because a hacker would have had to jump through all those hoops as well, which is extremely unlikely. Your ability to do so proves you are you.
A second second factor. There’s a third safety net you can set up yourself ahead of time: an additional second factor. When using hardware keys as 2FA (see below), it’s common to set up two keys, keeping one in a safe place as a backup. In that same vein, you could set up both SMS and app-based 2FA such that either could be used in the event the other is lost.
In all cases, and as long as you prepare (which most services require), losing your second factor is an inconvenience at worst.
Related
Beware the Middleman: How Your 2FA Could Be Compromised
Some forms of two factor authentication have vulnerabilities. Here's how to avoid it.#169710
Two-factor spoofing
There is no such thing as perfect security. Period.
That means that it is possible for hackers to spoof or bypass two-factor authentication in some situations. The two most common:
- Mobile numbers can be stolen (AKA “sim swapping”), redirecting all SMS messages to the hacker.
- Successful phishing attacks can intercept two-factor codes in real time.
#1 requires you to be individually targeted, and you can set up a PIN with your mobile provider to prevent unauthorized reassignment. For #2, you can pay close attention to signs of phishing to avoid being lured down this path.
Both of these spoofing techniques are rare and preventable. Any two-factor authentication is better than no two-factor authentication.
By using 2FA, you are stacking the odds in your favor, making it significantly less likely your account will be compromised.
Related
Why ANY Two-Factor Is Better than No Two-Factor
Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.#70786
Second factors
You don’t always need a mobile phone or a smart device.
This varies based on the online provider with which you’re setting up two-factor authentication, but often services allow a variety of devices to be used. These may include:
- A smartphone to run a TOTP (Time-based One Time Password) two-factor authentication app or service-specific authentication app.
- A mobile phone to receive SMS text messages.
- Any phone to receive codes via automated voice (sadly, this is rare).
- Email addresses unrelated to the account using 2FA. Your ability to receive a code, for example, at a specific pre-configured email address, can act as a second factor.
- Hardware keys such as the YubiKey.
- Any other device already signed into the account that can present a “Is this you signing in on that other device?” approval message.
- Your device’s camera or fingerprint reader.
I’ve seen each of these act as a second factor on various services. Which ones are offered is up to each service.
Why bother with all this?
To be clear, 2FA is very little bother. The only thing that really changes after you set it up is that the first time you sign in to a new device or browser, you need to use your second factor. After that, it’s the same sign-in process as before.
Password-based compromise happens daily. Due to bad passwords (which of course you don’t use — right?), malware, brute-force attacks, breaches, or other forms of compromise, accounts are hacked often. Two-factor stops 99%3 of these attempts dead in their tracks.
2FA provides peace of mind.
Do this
Take a few minutes right now and set up two-factor authentication on every account you have that supports it. Start with your password manager and then your email, financial, and social media accounts. Take care to follow the instructions carefully and create/save the backup codes you’ll be instructed to set up.
A few minutes today could save you a giant headache in the future.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: A different type of second (or third) factor can be something you are, meaning some physical characteristic about you, such as your face, fingerprint, iris, or something else.
2: As always, there are exceptions. “Never say never” and all that. But in general, and especially for consumer accounts, 2FA is required only the first time.
3: OK, I made that up, but honestly, I expect the real number to be more like 99.99%.
My problem is that I don’t have a cell phone. While more and more services are starting to add additional options, it’s amazing how many still rely on a cell phone number to text a code to (and that’s the only option they provide). The other day, we were creating a Yahoo! email account for my daughter. Yahoo! required that we input a cell phone number while creating the account. There was no option to choose a different method. There was no option to skip it. We had to borrow someone else’s cell phone, get the code (which to me sounds like the opposite of account security) to complete the account creation. Once created, we were able to delete the cell phone number and choose email instead.
My other issue is that if I close Chrome, often my cookies will be cleared the next time I go to Chrome, so I have to go through the hassle of 2FA on all my online accounts as I use them again. I’ve tried looking for an option that is clearing cookies automatically on me, but haven’t found it yet. So I generally tend to keep Chrome open all the time. I would rather not do that, but the constant 2FA thing gets really annoying.
Cookies should be cleared on exit ONLY if the setting to do so is selected. Normal default behavior is that cookies are preserved across browser restarts.
That normal behaviour is what I would like, but I can’t see to find the setting in Chrome.
Wow. And neither can I. Looks like it’s been removed for some reason? Anyway, there are extensions that will do it for you if you like.
When I saw this question, I looked and couldn’t find that setting either.
To JAMES B and LEO NOTENBOOM: In the current version of the Chrome browser, i.e. Chrome 138, you might want to explore the following settings. Properly configuring them might give you the cookie results you’re seeking (no guarantees, but worth a try). Be sure to follow the steps carefully because the settings are very deeply “nested”.
On the Chrome toolbar, in the right-hand corner, click the vertical ellipsis to open the drop-down menu. On the drop-down menu, click “Settings”. On the page that opens next, go to the far left-hand column and click “Privacy and security”. From this point onward, each of the following two separate paths will take you to a setting (at the end of the respective path) which can be configured to affect your cookies in a variety of ways. The individual steps in the paths are as follows:
PATH #1: “Privacy and security” > “Delete browsing data” > “Cookies and other site data” (Choose the “Basic” column on this panel and toggle the “Cookies and other site data” check-box on or off; then choose the “Advanced” column on this panel and toggle the “Cookies and other site data” check-box on or off. In each of the “Basic” and “Advanced” columns, be sure that the “Time range” box is set to cover the desired period of time)
PATH #2: “Privacy and security” > “Site settings” > “Content” > “Additional content settings” > “On-device site data” (The “On-device site data” panel contains a wealth of fine-tuning customization options)
Best of luck. Harris Stewart
Path #1 will clear cookies, the cache, and other site data but it won’t change the settings to clear or not clear this data on exit.
Path #2 I couldn’t find any settings on that page to clear or preserve cookies and other browsing data on exit.
To MARK JACOBS (Team Leo) Hi, Mark. This replies to your post of July 3, 2025, 3:16 p.m. When I queried Google Search (with AI enhancement) regarding this matter, it furnished the answer below, which appears to align with Path #2 in my July 3, 2025, 2:13 pm post. It seems that Chrome 138 has adopted some new language to cover the applicable setting(s). “On-device site data” is apparently meant to include cookies; and the phrase “…when you close all windows” apparently means when you exit (i.e. close) the Chrome browser. Google’s full response is quoted below (see especially the final paragraph). Am I missing something?
“In Chrome 138, to preserve all cookies upon exiting, use the following steps:
Open Chrome Settings: Click the three vertical dots in the top-right corner of the Chrome window, and then select Settings from the drop-down menu.
Navigate to Privacy and security: In the left-hand menu, click Privacy and security.
Go to Site settings: Click on Site settings.
Select Additional content settings: Navigate to Additional content settings.
Click On-device site data: Choose On-device site data.
Ensure that you DO NOT select “Delete data sites have saved to your device when you close all windows”: Instead, choose an option that allows sites to save data, such as allowing all cookies. The option to prevent clearing cookies on exit is managed by NOT ENABLING the setting to automatically clear site data when closing Chrome. You can also manage settings for individual websites under “On-device site data” to allow or block cookies for specific domains.”
Regards, Harris Stewart
My issue is that I can’t find a setting that allows me to choose which kind of data to clear. It’s all or nothing.
Very nicely covered, Leo, as usual.
There is one additional thing worth mentioning about two factor authentication (2FA). In my experience, well programmed web sites that require 2FA do not “trust” your first login by default. You must generally click a checkbox to indicate if you want to be asked for a second factor in the future. Less obviously, some sites ask if you are on a public or private computer.
Users need to know the “trust” concept may require answering such questions and the consequences of how they answer.
I personally do not accept the “trust” offer for higher-risk sites, like banking or investment websites where the risk of loss is higher than say, a catalog or news site.
I’ll “trust” my bank at home, but never on my laptop (even if the laptop is at home, since I might travel with it later).
Some websites always require your second factor (your authorized device becomes your second factor, but a few websites don’t recognize that).
My bank has an app that’s required when you try to log in anywhere, and it always requires that app to log in on your computer. I don’t mind my bank being that strict, but whenever I get a new phone, I have to apply for a new PIN, which takes a week to arrive by post. A bit of a pain, but it’s real money at stake.
I took the time to do as you suggest in the video. For me, Not an issue to protect me, but, I am relaying an exception so your viewers are aware. I found that when I log in to .gov accounts that are transitioning to “login.gov” or “id.me” security to access requires authentication for future log-ins even though I selected the “remember this device”.
My health care provider requires a two factor authentication every time I log in on my computer.
My banks do the same. Some financial websites take that extra step to protect your account.
Concerning last week’s article “What Happens If You Click a Bad Link.” will 2FA save you from harm (assuming you have it setup, of course). If you do click on that “Bad Link” is there a way the spammer can get around the 2FA and get into the account?
It offers great but not complete protection. 2FA will protect you from them logging in to your account with your login credentials, because they don’t have the second factor. But there’s still a danger, because clicking on some links can sent you to a website that injects malware.
If you fall for a phishing email change your password ASAP.
The only way a scammer could bypass it is if you entered your two factor code into their fake login page.
I was always trained that the correct concept is Multi Factor Authentication (MFA) and these factors are normally ‘Something you know’ (e.g. password); ‘Something you have’ (e.g. identified phone or issued number generator) or ‘Something you are’ (e.g. fingerprint or iris scan). So 2FA is a mechanism that uses two, and 3FA utilises all three. The more factors that are used the more secure the system can be assumed to be.
Very enjoyable…as always. Personally, I most always uncheck the “remember this device” as a means of [maybe] maximizing the benefit of needing 2FA. I would avoid the email 2FA, if possible, as sometimes the speed of email receipt isn’t always swift esp. if you use a forwarding service. I would consider using a YubiKey-like device but, as I’m always misplacing my cell phone [age-related] I cannot come to an appreciation for “where did I put that thing”…it’s probably with my car keys…when I find them too…so I would probably also want a 2nd YubiKey. Final note: I’m amazed at how few sites offer the YubuKey as an option.
I was in Canada Computers last week and was asking about the Yubikey. He was very blunt in saying “they’re not legal yet in Canada.” That turned things on their head for me.
Yubikeys are legal in canada. You can even get them at Walmart.
https://www.walmart.ca/en/c/brand/yubico
I understood that one should tell web sites to “remember this computer/browser” and never check that box. But with that option I have to do 2FA every time I log in. Should I not be concerned and allow the browser to remember the devise?
First of all, let’s clear up terminology. It’s not the website remembering your computer, it’s your computer which remembers the login by means of cookies.
I usually let my devices remember logins. It’s generally safe to check “remember this device” as long as you’re on your own device, not using a public or shared computer, your device is password, PIN, or biometric protected so that no one can open your computer or device.
If you’re using incognito/private browsing or deleting coolies, it will “forget” your logins.
Depends on the circumstances, but I “remember this device” on my home computer for all sites, and don’t on my laptop for sensitive sites like banking.
Having had two of my personal devices hacked recently, I uncheck the “remember this device” systematically. Once I will be 100% confident I got rid of the hackers, I will go back to leaving that box checked.
My sister uses gmail but wanted another email addres on another provider. I tried both GMX and AOL. Both said they sent codes to her phone which never arrived. Tried several times with the same result.
I sent her some numbers from my phone to see if her phone was the problem but she got my text OK.
I seem to have to do the 2 factor ID every time I log into those sites and sometimes I never get the email or message. I dropped a credit card because I could never get to it’s site to get a statement. I called customer support and they offered to get it for me, but that’s no help. They would have to do that every month! So, when it works it’s OK. It doesn’t always work.
I do have to mention a 2FA frustrating experience, again. We were out of Canada vacationing and knew in advance that our cell phones would not work there as Primus did not work in the USA. We had them only for WiFi.
When we got to Hawaii, we went to a shop to purchase SIM cards for use while there. Of course, that changed our phone numbers. And of course, any time we tried to log in for any Gmail, etc., it wanted to send us the 2FA code. Which, per the accounts, was our CANADIAN phone numbers. Which meant, we never got them. Which meant, we could never access our Gmail. And there really wasn’t any way around it, because to get into Google to change the method of notification, you had to receive the 2FA code SENT TO OUR CDN SIM ACCOUNTS. Couldn’t change the “notification phone number” to the temporary US-SIM numbers, either.
Upside: didn’t deal with any email while away on vacation! (I think that’s good).
Oh, also remembered that in order to confirm the return flights from Hawaii to BC, where we’d connect to home, we couldn’t until we hit land in BC. And then we found our pre-booked seats had been changed because we didn’t confirm 24hrs before. Grrr….
Beware.
I split my time between Germany and the United States. I’m on a U.S.-based mobile plan that provides free texting in Europe and over 210 supported international locations. In countries outside this coverage, receiving text messages may incur pay-per-use charges. The device usability depends on whether your phone supports the cellular technologies (such as GSM, LTE, or 5G NR) and frequency bands utilized by local carriers, as well as whether your wireless provider enables international roaming in that location. The problem may be with your phone (unlikely as most smartphones support all cellular technologies). If your cell service doesn’t provide international roaming, you can find one that does and still keep your phone number.
You might see if your phone/carrier supports Wi-Fi calling.
I may have missed it, but I still don’t see an answer to how people without cell phones (by choice) are to use 2FA. Some sites will send a code to my landline but it’s a nuisance to leave my computer work and go get the phone and write down the code. I’m too old and busy with research to deal with fingerprints or turning on my camera.
Depends on the 2FA options offered by the service you use. Some will also allow email, for example.
I’m enjoying your newsletters very much, and, regarding Windows 10, I’m going to use it until my computer literally dies on me. I’ve got secure software with Microsoft Defender, and I don’t open any emails or anything I don’t know about. It seems like people want everyone scared, and, while I’m cautious, I’m not going to be all scared and everything. I know this wasn’t about Windows 10, but I thought I would comment here.
I like using 2-Factor verification for some of my online accounts. They are not difficult to setup on most sites. There are problems with the sites that request or require a phone number and preferably a mobile number.
I do not use a phone number for any account except my local credit union where I do most of my finances. I rarely use a phone for voice communications both for security and due to my hearing loss. When I was at work I needed to have a phone and Bluetooth hearing aids for communicating. Since I retired I stopped carrying a cellphone so I did not need the necessary hearing aids. Without my hearing aids many times I cannot even hear the phone ring. I use a VOIP for the home phone with an answering machine to take any messages. In the past when I would give out the number to some entity I would start getting solicitation calls. I always register every phone number on the Do-Not-Call website. Then once a month I would review the calls and report the ones whom I do already know. Within a short time there are no more calls. If I get too many calls I just change the number and start again. I am retired and have time to do this.
I use a Theta security key for all of my government login sites for ease of login. I also use it for some of my email accounts. This would be good for the different credit accounts that I have to access. I have not found any financial site who provided the option to use a Theta security key. Some accounts have obsolete phone numbers so there is no way to communicate for account verification.
Some accounts regularly use an email security question or access code to verify an account. I find this to be acceptable but would prefer using a security key. I do not understand the resistance from some financial entities that prefer to use a phone call or text for verification. There would be more people using a security key if all you had to do is press the button after login with the username and account password. This is quick and secure.
I am in the minority where I do not carry a cellphone with me when I leave home. My car has a phone line included with OnStar that I can use for an emergency. There have been times where I do not know where my cellphone is located. I only give out my number to family and friend with whom I communicate. I use the cellphone as my eReader device to read books. I do not recall how many moths ago I had a phone conversation. So this is not something I would use to verify any account. When I travel I carry a laptop for most of my online searches. I will usually setup my phone as a mobile hotspot to access my email or other accounts while traveling. I believe that using the cellphone network is more secure than most WiFi hotspots available.
I recently was in a Home Depot to rent vibrator device to smooth out some gravel. Their process would not accept my driver license ID. It was near my birthday and in Georgia you surrender your old license when renewing and the give you a photocopy of the photo and drivers information. They would use a phone call but I did not have a cellphone with me. They could call the home phone but was not there to answer it. I have a US Passport ID card which meets the current Real-ID standards and it was not acceptable. The clerk was following the software prompts but could not complete the transaction. This is not a practical use of cellphones for verification as anyone using the phone could respond to the information using the phone.