Two-factor authentication (or “2FA”) is a way to let a user identify him or herself to a service provider by requiring a combination of two different authentication methods. These components may be something that the user knows (like a password or PIN), something that the user possesses (like a keyfob or mobile phone), or something that is attached to or inseparable from the user (like your fingerprints).
You probably already use two-factor authentication in other parts of your life. When you use an ATM to withdraw cash, you must have both your physical bankcard (something you possess) and your PIN code (something that you know). Right now, however, many online services only use one factor to identify their users by default—a password.
How does 2FA work online?
In the past few years, several online services—including Facebook, Google, and Twitter—have offered 2FA as an alternative to password-only authentication. Once this feature is enabled, users will be prompted both for their password and a secondary method of authentication, typically either a one-time code sent by SMS or a one-time code generated by a dedicated mobile app that stores a secret (such as Google Authenticator, Duo Mobile, the Facebook app, or Clef). In either case, the second factor is the user's mobile phone, something they (normally) possess. Some websites (including Google) also support backup codes which can be downloaded and printed on paper as an additional backup. Once a user has opted-in to using 2FA, they will need to enter their password and a one-time code from their phone to access to their account.
Why should I enable 2FA?
2FA offers you greater account security by requiring you to authenticate your identity by more than one method. This means that, even if someone were to get hold of your primary password, they could not access your account unless they also had your mobile phone, or another secondary means of authentication.
Are there downsides to using 2FA?
Although 2FA offers a more secure means of authentication, there is an increased risk that users will be left unavailable to access their accounts, for example if the user misplaces or loses their phone, changes their SIM card, or travels to a country without turning on roaming.
Many 2FA services provide a short list of “backup” or “recovery” codes—codes that always work to unlock your account. If you are worried about losing access to your phone or other authentication device, you should print out and carry these codes around with you. They'll still work as “something you have,” as long as you only make one copy, and keep it close. Remember to be extremely careful to keep the codes secure and ensure that no one else sees them or has access to them at any time.
Another problem with 2FA systems that use SMS messages is that SMS messaging isn't that secure. It's possible for a sophisticated attacker (such as an intelligence agency or an organized crime operation) who has access to the phone network to intercept and use the codes that are sent by SMS. There have also been cases where a less sophisticated attacker (such as an individual) has managed to have calls or text messages intended for one number forwarded to his or her own, or accessed telephone company services that show text messages sent to a phone number without needing to have the phone.
If you're worried about this level of attack, turn off SMS authentication, and only use authenticator apps like Google Authenticator or Authy. Unfortunately this feature is not available with every 2FA-enabled service.
In addition, 2FA may mean you handing over more information to a service than you are comfortable with. Suppose you’re a Twitter user, and you’ve signed up using a pseudonym. Even if you scrupulously avoid giving Twitter your identifying information, and even if you access the service only over Tor or a VPN, if you enable SMS 2FA, Twitter will necessarily have a record of your mobile number. That means that, if compelled by a court, Twitter will be able to link your account to you via your phone number. This may not be a problem for you, especially if you already use your legal name on a given service, but if maintaining your anonymity is important, you may want to think twice about using SMS 2FA.
Finally, research has shown that some users will choose weaker passwords after enabling 2FA, feeling that the second factor is keeping them secure. Make sure to still choose a strong password even after enabling 2FA.
How do I enable 2FA?
This differs from platform to platform, as does the terminology used. Facebook calls the process “login approvals,” Twitter calls it “login verification,” and Google calls it “2-step verification.” To enable 2FA on most platforms, you will only need a mobile phone capable of receiving SMSes.
An extensive list of sites supporting 2FA is available at https://twofactorauth.org/. If you want better protection against stolen passwords, you should go through this list, and turn on 2FA for all of the important web accounts you rely on.