Use two-factor authentication
Updated28 March 2024
Table of Contents
...Loading Table of Contents...Two-factor authentication (2FA), also called multi-factor authentication (MFA), adds a second factor of authentication to your login system, so that if you want to log into an account you need something that you know (the password or passphrase) and something that you own (for example a hardware device, an app generating one-time codes or a phone to receive SMS messages or confirm your log-in).
By using 2FA, you can make sure that even if someone manages to guess your password, they cannot log in because they still need a second factor, which is harder to get as it is only valid once and is either generated by a physical device owned by you or sent to you in the exact moment you need it.
Learn how to set up two-factor authentication
- To check which services offer 2FA and find links to instructions hosted by each service on how to enable 2FA, see the 2FA Directory website.
- It is crucial to set up 2FA for:
- your bank accounts or money apps,
- accounts like your email address, social media, file storage, any accounts with sensitive or private information and accounts you would need in order to recover access to any other account.
Use an authenticator app or a hardware device
Your two-factor authentication options may include:
- Using an authenticator app or program.
- Using a hardware device - often called a security token, dongle, USB "key" or FIDO U2F key (Fast IDentity Online Universal 2nd Factor) - which you can plug into your computer or phone or set up to use for wireless communication, e.g. with NFC (near-field communication).
- Some examples are Yubikey, Nitrokey, Google Titan Key and Thetis Key.
- Note that some hardware devices may not be usable on mobile devices. Before you purchase a hardware device, check if it can connect to your phone or computer.
Choose the 2FA method that works best for you
- You can use one authenticator app or hardware device for multiple services, or set up different services with different forms of 2FA for additional protection.
- While authenticator apps and hardware devices do not require any kind of connection to generate codes, other methods will require connection to the mobile network (SMSs for 2FA) or to the internet (email for 2FA).
- Ranking 2FA options in order of safety: an authenticator app or hardware device is safest, then email, then SMS. Also SMS may not reach you if you are in another country or without coverage.
- We do not recommend using SMS text messages for 2FA since they are not encrypted and there have been cases of attackers successfully intercepting them on their way.
- Do not disable two-factor authentication once you have set it up. Some services may offer you the option to turn it off for a while for convenience, but consider the impact this might have on your security.
Learn why we recommend this
When it comes to logins, it is safer to have multiple layers of protection. If the first layer of protection is breached, you can rely on the second to protect your digital assets. Multifactor or two-factor authentication (MFA or 2FA) using another device or email provides this extra protection layer. Though many people find them convenient, text messages (also known as SMS) are the least secure option for 2FA.
You may think that 2FA adds complexity to your login process, but remember: what's mildly inconvenient for you makes it much harder for others to access your account without your permission. Having your accounts stolen, hijacked, or monitored by malicious people would be a far bigger problem for you in the long run.
Keep 2FA backup codes safe and separate
When you activate 2FA for a service, it is very important to make sure that you can rely on a backup 2FA method so that if you lose the device you are using for 2FA you can still log into your account with another method.
In most cases the backup 2FA method consists in a series of 2FA codes you can download and store in a safe place. If backup 2FA codes are not provided automatically, look for a way to manually generate them. If this is not possible, try enabling an alternative 2FA method - for example you can add a hardware device if you already registered an authenticator app, or take a screenshot of the QR code you have scanned when setting up your authenticator app and make a secure backup of it.
- If you are given backup codes when you set up 2FA, store these codes in a password manager.
- Learn how to add information or store a file with an entry in KeePassXC in the KeePassXC user guide.
- Learn how to add an attachment to an entry in KeePassDX in the KeePassDX documentation.
- Learn how to add an attachment to an entry in Strongbox in the Strongbox documentation.
- Ideally, to keep these codes separate from other information that could be used to access your accounts, create a separate database with your password manager and save it on another device.
Learn why we recommend this
Most online services will give you a list of backup codes when you first enable two-factor authentication for your account. These codes are your way back into your account if you lose access to the device you are using for 2FA. The codes never expire. It is important to keep the backup codes safe, as anyone who has your password can access your account using any of these codes.