2. Two-Factor Authentication

Two-factor authentication (often shortened to 2FA) or Multi-Factor Authentication (MFA) provides a way of ‘double-checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media. It is available on most of the major online services. 

When setting up 2FA, the service will ask you to provide a ‘second factor’, which is something that you (and only you) can access. This could be a code sent to you by text message or created by an app.

Why should I use 2FA?

Passwords can be stolen by cyber criminals – perhaps through a data breach (as above). Accounts that have been set up to use 2FA will require an extra check. Even if a criminal knows your password, they won’t be able to access your accounts.

The NCSC recommends that you set up 2FA on your ‘important’ accounts; these will typically be the ‘high value’ accounts that protect things that you really care about, and would cause the most harm to you if the passwords to access these accounts were stolen. You MUST also use it for your key personal email account, as criminals with access to your inbox can use it to reset passwords on your other accounts.

How do I set up 2FA?

The website Turn On 2FA contains up-to-date instructions on how to set up 2FA across popular online services such as Gmail, Facebook, Twitter, LinkedIn, Outlook and iTunes.



What are the different ‘types’ of 2FA?

When 2FA is switched on, you’ll be asked to provide a second factor in order to access your account. There are several types of second factor available:

Do I have to use 2FA every time I access a service?

No. Once set up, you are often only be asked for it when you’re doing something where it would really matter if it was a cyber-criminal, rather than you. These are usually things like setting up a new payee for your bank account, logging into an account from a new device, or changing your password. Look for the ‘remember me’ option if you don’t share devices.

What if 2FA isn’t available?

The NCSC would like to see 2FA offered on all services which might hold your personal data, spend your money, or play another important role in your life. If 2FA is not available on one of your important accounts, like email, you should at least ensure that it has a strong unique password. You may even want to consider changing services to one that does offer two-factor authentication.


More Information