Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Two-Factor Authentication Keeps the Hackers Out

We rely on passwords to protect our online world. At the same time, hackers seem to be getting better at deciphering them.

In response, security folks created something called “two-factor” or “multi-factor” authentication.

It’s something I strongly suggest you understand and consider using.

Two-factor authentication relies on two different types of information, both of which must be correct in order to confirm your identity.

Become a Patron of Ask Leo! and go ad-free!


When we talk about security and passwords and the like, the word “authentication” gets thrown around a lot.

All authentication means is proving that you are who you say you are. It’s validating you are authentically you, and not some impostor.

It’s important, because once you’ve shown you are who you say you are, you have the right to use the things that are yours. Once you prove you are you, for example, you’re allowed to access your email account.

In person, we can use physical things, like a photo ID, to prove we are who we say we are. Online, things get more difficult.

What you know, and what you have

Authentication has almost always been in the form of something you know – for example, an account ID and password. Even if you forget your password, the answers to a set of security questions might be used instead, which still boil down to something(s) you know.

Something you know is easy to transfer from one person to another. When it’s on purpose, that’s okay. When someone who shouldn’t learns your password, something you know becomes something they know, too. The result? They can get at your account.

“Two-factor authentication” adds something you have to the requirements to prove you are you. When it comes time to authenticate, you have to have two things:

  • Something you know: you must know your account ID and password.
  • Something you have: you must actually possess something specific that is completely unique to you and only you.

When you think about it, exactly how you go about proving that you have something like that is actually pretty hard to do.

Until you factor in encryption1.

Two-factor authentication using an app

A common tool to provide two-factor authentication is the Google Authenticator app. It works like this:

  • You install the Google Authenticator app on your smartphone.
  • You “associate” Authenticator with your online account. This is usually done by scanning a QR code provided by the set-up process for that account, or by entering a code that’s displayed.

Google Authenticator The app now begins displaying a six-digit random number that changes every 30 seconds.

In reality, the number isn’t random at all – it’s a complex function of encryption keys created as part of the process you just completed. It’s completely unique to your account and your smart phone. Only the app, and the service you’ve connected to, know what the number should be at any point in time.

If you can type in the correct number provided by the app when requested by the service, that proves you have that specific smartphone.

Your two factors are:

  • Something you know: the ID and password to your account, which you prove you know by typing it in as usual.
  • Something you have: your phone, which you prove you have by entering the number displayed by the Authenticator app when requested.

Your log-in process now requires you to provide your ID and password, and then provide the random number currently being displayed by your smart phone. Either one by itself is not enough.

Two-factor authentication using SMS

An alternative (for those who don’t have a smartphone, or who just prefer it) is to use text messaging (SMS) to prove you have your phone.

Set up is simple: you give your mobile number to the service, and tell them you want to use it for two-factor authentication.

Your two factors are:

  • Something you know: the ID and password to your account, which you prove you know by typing it in as usual.
  • Something you have: your phone, which you prove you have by entering the number text-messaged to it when you try to log in.

Your log-in process now requires you to provide your password, and then provide the number texted to your phone.

Some systems can use automated voice readout of the number, meaning you don’t need to use texting at all; you don’t even need to have a mobile phone – a landline will do. When you try to log in, a voice call is made to your phone number, and an automated system reads you the number you need to type in.

Making two-factor less annoying

Once people understand two-factor, the first reaction is usually a horrified, “You mean I have to do this every time I log in?”

Actually, no.

After you log in once using two-factor authentication, most services let you limit how often the second factor will be required on that device. You usually have the following options:

  • Never again on this computer. This means that this computer itself is trusted. You can log in again on this specific computer without requiring the second factor. (Clearing cookies usually resets this.)
  • Every-so-often on this computer. This usually means the service will not ask for a second factor again for some number of days – often 30. (Once again, clearing cookies will likely reset this.)
  • Always ask. Two-factor authentication is always required. This is the default.

This lets you tailor exactly how aggressive – and annoying – two-factor authentication should be.

On a computer at home, you might never use two-factor, but on a laptop you travel with, you might require it always be used, just in case you lose the laptop. This is exactly what I do.

Why two-factor protects you even if you only enable and never use it

So why would you enable two-factor and yet still say “never ask again”?

“Never ask again” can apply only to a computer on which you’ve successfully used two-factor at least once. On any computer you’ve never used, two-factor will always be required at least once.

That means the computer of a hacker who happens to have stolen your password can’t be used to get in.

Even knowing your password, the hacker cannot log in if you have two-factor authentication enabled on the account.

Losing your second factor

One fear that comes up when people look into two-factor authentication is “what happens if I lose my phone?” (or other two-factor device).

When you set up your account with something like Google Authenticator, you will also be given a set of one-time passwords or recovery codes. Save those someplace secure. You can log in with each of those passwords exactly once without requiring a second factor.

Usually you would:

  • Log in using a one-time password.
  • Temporarily disable two-factor authentication.
  • Change the password for safety (optional).
  • Re-enable two-factor authentication by associating a new phone or other two-factor device.

I save the one-time passwords in an encrypted file.

Some services, like Microsoft, will also let you set up a recovery code that’s independent of two-factor authentication. I recommend you do so.

If you’re using SMS as your two-factor mechanism, recovery can be as simple as going to your mobile provider and getting a replacement phone while keeping your mobile number. Texts are sent to your mobile number, and will follow you to whatever phone you switch to.

Two-factor availability

I have two-factor authentication enabled on everything that supports it. For me, that means, among other things, my bank, Amazon, Gmail, Lastpass, Dropbox, Facebook, Evernote, Microsoft, TeamViewer, and even my World of Warcraft account.

Unfortunately, not every service supports two-factor authentication. I strongly recommend you consider it for those accounts that do.

You’ll also find that in addition to, or instead of, the two common methods I mentioned above – Google Authenticator and text messaging – several services also have other approaches to two-factor. World of Warcraft, for example, has its own app. Facebook uses the Facebook mobile app to provide the code, or SMS if you don’t have the app. Some services will provide key chain fobs that display the randomly changing number. Other services can use devices like the USB-based Yubikey.

Pick what makes the most sense to you, but strongly consider adding two-factor authentication to increase the security of at least your most important accounts.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,


Podcast audio


Footnotes & references

1: Pun completely unintentional. 🙂

69 comments on “Two-Factor Authentication Keeps the Hackers Out”

  1. It’s very worthwhile exploring the related articles and not just assuming the current practice of Secret Questions have got you covered as the 2nd step of verification. Secret Questions are a pretty weak method of security as the Secret Answers are frequently known by friends, family, work and class mates.

    Though Leo has a creative way of making Secret Answers more secure for those sites that only have Secret Questions.

    • I’m finding that secret questions are, thankfully, falling out of favor. Many sites that used to have them have replaced them with other forms of validation.

      • As long as a system created or understood by humans is relied upon, another human or machine created by a human will eventually crack it. Trying to type a bunch of letters and numbers is really too easy and then they want you to do a ‘Turing’ exercise and choose items that have the same characteristics that can really be frustrating if you can’t really get a grip on their concept or see it well…those aren’t even useful for the handicapped.

        The answer hasn’t been thought of yet because they are too busy trying to see if you are AI.

    • Secret answers stink, but there’s an easy way to make them safe if you can’t avoid them : use a long, random password as an answer whatever the question, and save that in a password manager (in Kee Pass : create a custom field for it under the Advanced tab.)

      Unfortunately, secret answers are aimed at precisely the type of people who wouldn’t be using a password manager, and wouldn’t be comfortable with one.

  2. I live in India, but travel to the U S once in a while since all my children are settled there. I am hesitant to activate the Google two factor authentication because my Indian phone does not work when I am in the U S. What would be the preferred option in such a case.

    • If you use the google authenticator app on your phone it should work. The app does not require connectivity or phone calls, it’s just a program that runs on the device.

      • “It’s just a program that runs on the device.”

        A fundamental point, which is not stressed often enough. I had trouble understanding it, and I still forget it occasionally.

    • Google will allow you to pre- download ten codes that can be used when you travel. The codes are only used one time and then you need to go on to the next.

      BTW: YOU CANNOT USE EUDORA WITH TWO PART AUTHENTICATION! Eudora only allows one password – no codes! Then Google blocks the attempt to download your gmail!

      • I believe you can use Eudora and other email programs that can’t do two-factor by looking for and setting up “application passwords”. Check the Google options for that.

        • FB requires a mobile phone. i tried to use my land line for two factor and FB has SMS only. i`m deaf and have an automatic caption phone. FB two factor will not work for me. i`ve written them about it but without a premium account they won`t answer me.

          • I’d love to know why they think we all have cellphones anyway. Some of us care to eat and live in a house.

  3. Leo, this problem first showed up today on your newsletter page: an annoying pop-up on the left edge of the page that gives me a “choice” to share with facebook, twitter, etc. It covers part of the text that I am reading. Is there a way to get rid of it?

    • That sort of a thing on a web page is usually put there by the web designer. I would think that maybe Leo is asking us to help share his page. So I’m going to click it and share the page when I like an article.

    • I will be adjusting the left margin as soon as I can. (I’m on the road.) Connie’s comment is spot on – sharing is one of those things that’s pretty critical to Ask Leo!’s survival. I’ll work to make it less annoying.

    • I was having this problem a while back and it was corrected enough to read the article content by reducing the zoom to no more than 100 %.

  4. I. Kertesz – Answer: I use Firefox as my main browser. I installed an add-on called “No Squint” which makes web page font larger or smaller. Normally I have it set for very large web page font. I had the same problem you did. The pop-up on Leo’s page blocked the wording. I had to use No-Squint to reduce the size of the font since I could not delete the annoying pop-up. Once reduced the font I could then read it.

  5. My wife and I have cell phones through AARP. No text. No internet. Voice only. The company is Consumer Cellular. Two phones – Two people – 600 shared minutes: Total price = $35.00 per month! There should be a way for two-factor authentication to work without the use of smart phones. Some of us are retired and cannot afford smart phones.

    • Most 2 factor authentication sends a normal text message which should work on any cell phone. Some even offer the option of a voice message which would even work on a land line.

    • You might check out TracFone. I’ve had their service since March. Depending on how many minutes you use, you can end up easily with two accounts under $35/month combined, and have access to phone calls, texts and internet. I got this phone:

      LG Optimus Dynamic II – LG39C – Android Prepaid Phone with Triple Minutes (Tracfone)

      and prepaid a year of service at When you check them out, be aware that when you have an ANDROID phone like the LG I gave you the link for above, you get TRIPLE the minutes that are listed on the card you get at Walmart or other stores, or various offers online, and that’s that number of minutes phone call, that number of text messages plus that number of megabytes of data.

      Do check it out. I am still very satisfied, but at 63, I don’t make a lot of phone calls, but I love the texts that Amazon sends me to tell me when packages should be delivered. (And if you add a new card before your “x” days of service runs out, all of your accumulated minutes, texts, and megabytes that you haven’t yet used carried over to the renewal period, plus triple the number that you just added.

      • My first cell phone was a TracFone. It was just for emergencies. When I finally had an emergency there were no minutes left to use. You not only used minutes by using the phone, you lost so many minutes a month by carrying it around in your pocket or in your glove box. I don’t know if they still do it that way now a days.

  6. I. Kertesz…………..I just noticed that there is a double blue arrow at the bottom of the pop up. Click on those arrows and the popup will disappear.

  7. Hi Leo,
    The two factor authentication has really saved my gmail account recently. One night, I kept receiving the codes for my gmail account (5 times). Then, it stopped. As my wife and daughter sometimes open and read mails, I thought one of them should have opened it. My wife was with me at home, my home computer has not been in use, and my daughter confirmed Not having opened my mail a/c. Obviously, my password has been stolen. I immediately accessed my account and changed the password (tougher). As of today, my account looks safe.

    I wanted to thank Google for it, but it is difficult to find a Mail ID for it.

    • Shanker, click on the gear icon in the upper right then click send feedback. you can thank Google that way. you`ll only get an answer if you have a premium account.

  8. I’m probably not understanding something or just not thinking it all the way through. What if someone STEALS your phone. They now have access to both factors. They have access to your email and your text messages and your phone calls so TFA no longer helps you stay secure, correct? Again, what am I missing? I have a passcode on my phone.

    • Right. If they hack your password, AND steal your phone they can get in. Those are two separate things, however. Given that most hackers are very, very far away from you (typically overseas) the likelihood of them having stolen your phone is next to nothing. 2FA remains incredibly robust.

      • In South Africa there have been cases where hackers, who have obtained a password to a banking account protected by 2FA, have been able to obtain a replacement SIM card linked to the victims cell phone (as part of a replacement SIM process). The the victim’s cell phone then goes off the air as it’s SIM has been deactivated while 2FA text messages go to the new SIM card (which is in the possession of the attackers).

        2FA is better / stronger than single factor authentication but it is still vulnerable to attack.

        In the case of a lost or stolen cell phone a “remote wipe facility” is strongly advisable. There is just too much personal data on them and every app adds to the attack surface available to a hacker.

    • If they steal your phone, it’s not likely that they will have your passwords unless you have them stored unencrypted on your phone.

      • It turns out that the report is based on incorrect information, but it’s a good reminder to keep passwords secure and consider 2FA anyway.

  9. Initially I resisted 2FA mostly because I didn’t understand how it worked. I used to think “if I lose my Android I won’t be able to access my accounts”. Once I made the effort to see how it actually worked I was hooked. I’ve been using 2FA for various accounts/services that support it for a couple of years now and wished I had made the move sooner.

    I also use LastPass for password management and keep a copy of my passwords in a volume encrypted by TrueCrypt. The master passwords for LastPass and TrueCrypt are memorized. I also have a physical copy in a safe place. With respect to my home PC, I never choose the “trust this device” option – I always want that SMS sent to my phone. It can be a pain in the you-know-what but then I consider the alternative – I suffer a break in while I’m away and that PC goes missing.

  10. Banks and credit card companies usually offer the options to send you an email or a voice message, or have you call a number yourself to get the confirmation code. Very helpful for those like me who work from home and don’t have cell signal at home. 2FA that only works with text messages is useless to me most of the time.

      • In Europe, all banks not only offer 2FA, they insist on using it. I wish the US would adopt that policy.

        • I don’t even have a cellphone, I can call the bank and find my information with the automated system or talk to a banker live and I just get my cash out and pay for it directly or purchase the transfer method required.

          No muss and no fuss, no Mr. In-between.

    • That’s true, but it’s my understanding that this disrecommendation of SMS as a second factor is more relevant for governmental agencies and businesses which might be specifically targeted. For the average user, the odds of someone hacking into your SMS communications is next to nil.

  11. My Mobile phone has access to my Google account so I can view my Emails and calendar. I gave it this access a long time ago and I am never asked for re-login details. The phone does require a 4 digit switch-on code

    Now, If my mobile is lost or stolen what is stopping a finder/thief from:
    * browsing to any banks web site and trying the following…
    * entering my email
    * asking to RESET the password
    * receiving the password on the mobile phone
    * using the email & reset password details to log in
    * Receiving the 2FA code by sms
    and accessing my bank accounts.

    ( I refuse to do banking on my mobile, but if I did use banking apps or web browser surely this would make it even easier for a finder/thief?)

    In England from 14 September 2019 banks insist on using 2FA, and “want” to send sms messages to my phone.

    My instinct is that this is all terribly insecure – even with 2FA

    what do you think?

  12. I was on holiday, inexplicably forgot my mobile password – hardly turned off- went to Yahoo. I’m abroad so two step authentication kicks in. Can’t respond because locked out of phone…second option; use alternative email…gmail. Went to gmail. I’m abroad so verify two step authentication on mobile…. CATCH22. Solution. Very, very easily, can’t quite believe it. Got my PUK digitally. Freed up phone and all sorted. Got home undid two step verification. Why bother when you only have to phone the company and without any checks you can get your PUK

  13. Reading the feedback, I see I am only one of many who has had problems with 2FA while travelling abroad. With an local country SIM card in my phone, I couldn’t receive 2FA security codes via SMS or voice call. The issue was getting funds from my bank – a large bank with international branches. After returning to USA, the bank’s response and suggested work arounds were so bad I have dropped the bank after more than 20 years a customer.

    The solution, my new (mainly online, few branches) bank also will send security codes via email. I can retrieve the code through webmail on my phone, then proceed. Email is probably not as secure as SMS, etc. . . . . but as LEO says, it is better than no 2FA at all.

  14. “Never again on this computer” : this is pure genius, and the first time I’ve read about it. I read tons of articles on 2FA, and have never seen this mentioned once.

    It could be a game-changer for me, because I use a desktop computer and an always-off smartphone. I only use the latter as a pocket computer and an outgoing phone for rare calls. The long boot time and multiple passwords needed to start the phone make it really impractical for me to use cell phone-based 2FA.

    Unless I can use “Never again on this computer”. However, I have never seen this option explained by services offering 2FA. Whether it is because they don’t have it, or because you’re not informed of it until you set up 2FA, I don’t know.

    Other points I feel should be mentioned when recommending 2FA :

    1. Making backups of secrets. Recovery codes are good, but they depend on the service. Not all services might offer them. One can, and should, do one’s own backups by saving the QR code or the relevant character string.

    Am I correct in assuming there’s one secret per service where 2FA is enabled, as opposed to one secret per authentication app ? This is never made clear in 2FA articles.

    2. 2FA by SMS is obsolete and dangerous because of SIM-swapping. SIM-swapping is big in the United States. Notably through corruption of phone company employees, which you can’t prevent. I haven’t heard of it happening in Europe, but you never know. Cases have been found in Africa and Brazil.

    • 1. A new secret is generated each time you pair the app with a service. (And yes, I agree, capturing the QR code is one way to save yourself from losing the device, or allowing more than one device to be used.)

      2) SMS two factor is still better than no two-factor at all.

  15. Hmm. Just a thought. 2FA by SMS creates metadata where there previously where no metadata. Eavedropping on a mobile phone these days is extremely easy. You don’t even have to get your hands on the phone in question. I’m beginning to wonder if we are lured in to an extremely effective eavesdropping society under the pretext of improving security, when we in fact are doing the opposite??

    • I think the whole issue of SMS hacking in relation to multi factor authentication is overblown. For someone to catch a text message with a 2FA recovery code, the hacker would need to be in proximity to the phone and know that an account recovery code is being sent to that phone. It’s probably just as statistically infeasible as cracking a long password by brute force.

  16. I’ve been a Yubikey user for about six months now and love it (once configured, which is *not* straightforward). I did come across an issue lately with physical 2FA methods like this: tablets and phones. For example, my Samsung Tab 4 tablet only has a micro USB port. Using an adapter, it does not acknowledge the Yubikey, making it impossible for me to sign into Gmail (creating an app password doesn’t help with 2FA enabled — tried it). An important FYI to others that I stumbled across.

    • My solution is to make sure you have additional 2FA methods also enabled. Generally GMail offers alternatives if you can’t use one. I’ve had the YubiKey experience myself, but I could fall back to the Google Authenticator method, because I also had that configured.


    I had 2FA set up wth PayPal and my Jitterbug[tm] flip-phone.Worked just dandy for a long time. I’d login with E-Mail and passphrase, they’d text me a 6-digit code which I then fed back to them, and I’d be in.


    Until, all of a sudden, PayPal either wasn’t sending the 6-digit codes any more, or else I wasn’t getting them for some reason. For over A MONTH, I was locked out of my PayPal account!!!

    I was actually in the process of upgrading my flip-phone to a more advanced model, in the hope that that would solve the problem, when I decided to try with my old phone (the new one hadn’t arrived yet) one more time. As stupid as that sounds, it actually worked! Finally — I got their 6-digit code! I was in!!! Phew!!!

    Very first thing I did — you guessed it! — was to very hastily turn OFF 2FA. “Not quite ready for prime time,” I said to myself with some regret. But really, I can’t afford to be locked out of my account like that!

    But as I did this and logged off, something caught the tail of my eye. (“What did that say…? “)

    So I logged back in (2FA -free) and took a closer look. What’s this about an “Authenticator App”…?

    Long story short (yeah, I know — too late!), I ended up getting LastPass Authenticator (which, although it’s a tad glitchy on my year 2016, 6th generation, Amazon Kindle Fire HD8, nevertheless seems to work just fine operationally) and I now have 2FA enabled again!

    I’m considering switching to Google Authenticator some time in the future — but for right now, I’m just going to leave things as they are and just relax, and savor the relief


    • I might recommend Authy as it makes it easy to have more than one two-factor device, and backups, in case you lose your phone. Also, set up multiple two-factor methods with the accounts (like Paypal). Though they should have had a way to get in to your account without it (usually with confirmation email, recovery code or whatnot). I will say that while Paypal was one of the first on the two-factor scene, they have consistently been the least reliable, at least for me.

      • UPDATE:

        I’ve switched over to Google Authenticator v5.00, but I see no option for creating a list of codes in advance (which Leo mentioned as a backup in case you lose the Authenticator).

        It’s still worth it, because when the LastPass Authenticator was first started, it very annoyingly popped up a notice (twice!) insisting that it requires access to Google Play in order to run (and then proceeds to run just fine without it!).

        While you’d think that Google Authenticator, being a Google product, would have that same flaw, this is not the case: works perfectly fine without any complaints at all!

        BUT, I’m thinking of switching again, this time to Verisign’s VIP Access. The newest version doesn’t work on my Fire, but I’ve found an earlier version that does; it’s drop-dead simple to use, and I really like its interface! My only worry is that this earlier version might be “out-of-date” in the sense of having been found to possess some vulnerability, and therefore no longer being recognized or accepted by online services.

        I guess I’ll just have to wait and see…

  18. Leo:

    “Though they should have had a way to get in to your account without it (usually with confirmation email, recovery code or whatnot).”

    In point of fact, they did indeed have such fallbacks — for my passphrase. They did NOT work for the “two-factor.” I actually tried them and ended up with a brand-spanking-new passphrase (which I didn’t need!), but my SMS two-factor wasn’t affected at all. Why do you think it took me a month to get in?!?

    • To be clear, providers should have a contingency plan for a lost second factor. In fact I’m not aware of one that does not. You may have to set it up in advance (like traditional recovery emails, one time codes, or others). None involve getting a new password/passphrase.

  19. My bank has moved to 3 factor authentication. First I enter the username and password on the website. Then to get in they send a TAN (Transaction Authentication Number, a one-time password) to my phone app. The third factor is entering the app password to see the TAN. To make a transaction, I have to enter the app password again to receive a second TAN. I’m so glad I have a password reader on my phone, otherwise I’d have to type in a lot of passwords and PINs.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.