The Off-Key Bard
Technology

Why Does Everyone Keep Telling Me to Use Two-Factor Authentication?

Or: why one lock isn't always enough. Your password is the key to your front door — here's why so many services now ask you to add a second lock.

Or: Why One Lock Isn't Always Enough

If you've created an online account in the past few years, you've probably seen a message like this:

"Protect your account by enabling Two-Factor Authentication."

Sometimes it's called 2FA.

Sometimes it's called Multi-Factor Authentication, or MFA.

Whatever the name, it's often presented as something you should absolutely turn on.

But why?

Wasn't the password supposed to be the security?

The short answer is:

It still is.

The problem is that passwords aren't nearly as secret as we'd like to believe.

"Isn't My Password Enough?"

Sometimes.

Often, it isn't.

Think of your password as the key to your front door.

If nobody else has a copy of that key, you're in good shape.

But what happens if someone makes a copy without your knowledge?

The lock still works perfectly.

The problem isn't the lock.

It's that someone else now has a key.

That's exactly what happens when passwords are stolen.

How Do Passwords Get Stolen?

Contrary to what movies suggest, hackers rarely sit in dark rooms randomly guessing passwords.

Most stolen passwords come from much simpler situations.

For example:

  • A website suffers a data breach.
  • Someone reuses the same password on multiple sites.
  • A phishing email tricks someone into typing it.
  • Malware captures it.
  • Someone simply guesses an easy password.

None of those require breaking into your computer like an action movie.

Sometimes people accidentally hand over the key.

So What Is Two-Factor Authentication?

Two-Factor Authentication simply asks for two different ways to prove you're really you.

Usually that means:

Something you know

Your password.

And...

Something you have

Like your phone.

Even if someone steals your password, they probably don't also have your phone sitting in their pocket.

That second step makes a tremendous difference.

Everyday Examples

Think about using an ATM.

Your debit card alone isn't enough.

Your PIN alone isn't enough.

You need both.

The card is one factor.

The PIN is another.

Modern online accounts work the same way.

"What Counts As A Second Factor?"

Several things.

Text Messages

A six-digit code is sent to your phone.

Easy to use.

Better than nothing.

Not the strongest option.

Authenticator Apps

Apps generate a new code every 30 seconds.

Examples include:

  • Microsoft Authenticator
  • Google Authenticator
  • Authy

These are generally more secure than text messages.

Push Notifications

Your phone simply asks:

"Is this you?"

You tap Approve or Deny.

Simple.

Fast.

Very common today.

Security Keys

Small USB or NFC devices that prove you're physically present.

These are among the strongest forms of authentication available.

Most people won't need one.

But they're common in businesses and high-security environments.

"Won't This Slow Me Down?"

A little.

Usually by about ten seconds.

Think of it this way.

Locking your front door also slows you down.

You have to stop.

Take out your key.

Unlock the door.

Most people gladly accept those extra few seconds because of what they gain in return.

Two-Factor Authentication works the same way.

A tiny inconvenience.

A massive increase in security.

What If I Lose My Phone?

An excellent question.

This is why many services provide:

  • Backup codes
  • Recovery methods
  • Multiple authentication devices

If you're enabling Two-Factor Authentication, save your recovery information somewhere safe.

Future You will appreciate it.

Is Two-Factor Authentication Perfect?

No security measure is.

A determined attacker can still attempt:

  • Phishing attacks
  • Social engineering
  • Malware
  • SIM-swapping in some cases

But Two-Factor Authentication dramatically raises the difficulty.

Most criminals don't want difficult.

They want easy.

Good security isn't about becoming impossible to attack.

It's about becoming a much less attractive target.

The Bard's Take

Passwords used to be enough.

The internet was smaller.

Online accounts were fewer.

People had less of their lives stored digitally.

Today, our email accounts unlock bank accounts.

Our bank accounts unlock our finances.

Our cloud accounts hold our memories.

Our shopping accounts know our addresses.

One password protecting all of that simply isn't enough anymore.

Two-Factor Authentication doesn't eliminate every risk.

It adds another lock to the door.

And sometimes, one extra lock is all it takes to convince a thief to move on to an easier target.

← Back to the Desk — Technology